Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

chore: disable nodeIntegration / webviewTag by default #16235

Merged
merged 1 commit into from Jan 7, 2019

Conversation

Projects
None yet
4 participants
@miniak
Copy link
Contributor

commented Jan 2, 2019

Description of Change

The previous default values have been deprecated in Electron 4.0. Follow up to #15045 and #16004.

BREAKING CHANGE

Checklist

  • PR description included and stakeholders cc'd
  • npm test passes
  • tests are changed or added
  • relevant documentation is changed or added
  • PR title follows semantic commit guidelines
  • PR release notes describe the change in a way relevant to app-developers

Release Notes

Notes: The default values of nodeIntegration and webviewTag are now false to improve security.

@miniak miniak requested review from as code owners Jan 2, 2019

@miniak miniak force-pushed the miniak/disable-node-integration branch 3 times, most recently from d47d14e to 3977d2f Jan 2, 2019

@miniak miniak force-pushed the miniak/disable-node-integration branch from 3977d2f to 0cba8ab Jan 3, 2019

@miniak miniak self-assigned this Jan 3, 2019

@miniak miniak force-pushed the miniak/disable-node-integration branch 2 times, most recently from ab85ebc to c3fd1b8 Jan 3, 2019

@miniak miniak added the wip label Jan 3, 2019

@miniak miniak force-pushed the miniak/disable-node-integration branch 3 times, most recently from c20b5fd to d5a3c98 Jan 3, 2019

@miniak miniak requested a review from as a code owner Jan 3, 2019

@miniak miniak force-pushed the miniak/disable-node-integration branch from d5a3c98 to 418e63d Jan 5, 2019

@miniak miniak removed the wip label Jan 5, 2019

@miniak miniak changed the title [wip] chore: make nodeIntegration / webviewTag defaults false chore: make nodeIntegration / webviewTag defaults false Jan 5, 2019

@miniak miniak changed the title chore: make nodeIntegration / webviewTag defaults false chore: disable nodeIntegration / webviewTag by default Jan 7, 2019

SetDefaultBoolIfUndefined(options::kNodeIntegrationInWorker, false);
SetDefaultBoolIfUndefined(options::kWebviewTag, node);
SetDefaultBoolIfUndefined(options::kWebviewTag, false);
SetDefaultBoolIfUndefined(options::kSandbox, false);
SetDefaultBoolIfUndefined(options::kNativeWindowOpen, false);
SetDefaultBoolIfUndefined(options::kContextIsolation, false);

This comment has been minimized.

Copy link
@MarshallOfSound

MarshallOfSound Jan 7, 2019

Member

This default was also deprecated

This comment has been minimized.

Copy link
@miniak

miniak Jan 7, 2019

Author Contributor

@MarshallOfSound I know, this one will be handled in a separate PR.

@alexeykuzmin alexeykuzmin merged commit fade3eb into master Jan 7, 2019

26 of 27 checks passed

Artifact Comparison Changes Detected
Details
Absolute Zero
Semantic Pull Request ready to be squashed
Details
WIP Legacy commit status override — see details
Details
appveyor: win-ia32-debug AppVeyor build succeeded
Details
appveyor: win-ia32-testing AppVeyor build succeeded
Details
appveyor: win-ia32-testing-pr AppVeyor build succeeded
Details
appveyor: win-x64-debug AppVeyor build succeeded
Details
appveyor: win-x64-testing AppVeyor build succeeded
Details
appveyor: win-x64-testing-pr AppVeyor build succeeded
Details
ci/circleci: linux-arm-debug Your tests passed on CircleCI!
Details
ci/circleci: linux-arm-testing Your tests passed on CircleCI!
Details
ci/circleci: linux-arm64-debug Your tests passed on CircleCI!
Details
ci/circleci: linux-arm64-testing Your tests passed on CircleCI!
Details
ci/circleci: linux-checkout Your tests passed on CircleCI!
Details
ci/circleci: linux-ia32-debug Your tests passed on CircleCI!
Details
ci/circleci: linux-ia32-testing Your tests passed on CircleCI!
Details
ci/circleci: linux-ia32-testing-tests Your tests passed on CircleCI!
Details
ci/circleci: linux-x64-debug Your tests passed on CircleCI!
Details
ci/circleci: linux-x64-testing Your tests passed on CircleCI!
Details
ci/circleci: linux-x64-testing-tests Your tests passed on CircleCI!
Details
electron-arm-testing Build #20190105.3 succeeded
Details
electron-arm64-testing Build #20190105.3 succeeded
Details
electron-lint Build #20190105.2 succeeded
Details
electron-mas-testing Build #20190105.3 succeeded
Details
electron-osx-testing Build #20190105.2 succeeded
Details
release-notes Release notes found
@release-clerk

This comment has been minimized.

Copy link

commented Jan 7, 2019

Release Notes Persisted

The default values of nodeIntegration and webviewTag are now false to improve security.

@alexeykuzmin alexeykuzmin deleted the miniak/disable-node-integration branch Jan 7, 2019

andrewkisliakov-citrix added a commit to andrewkisliakov-citrix/electron that referenced this pull request Jan 22, 2019

@miniak miniak referenced this pull request Apr 6, 2019

Merged

docs: update nodeIntegration section for new defaults #17715

4 of 4 tasks complete

deepak1556 pushed a commit to microsoft/vscode that referenced this pull request May 8, 2019

Deepak Mohan
Enable node integration for browser window
The default values have been flipped for security in
electron/electron#16235

deepak1556 added a commit to microsoft/vscode that referenced this pull request May 10, 2019

REVIEW: Enable node integration for browser window
The default values have been flipped for security in
electron/electron#16235

deepak1556 added a commit to microsoft/vscode that referenced this pull request May 16, 2019

REVIEW: Enable node integration for browser window
The default values have been flipped for security in
electron/electron#16235

deepak1556 added a commit to microsoft/vscode that referenced this pull request May 16, 2019

REVIEW: Enable node integration for browser window
The default values have been flipped for security in
electron/electron#16235
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.