Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

chore: disable nodeIntegration / webviewTag by default #16235

Merged
merged 1 commit into from Jan 7, 2019
Merged
Changes from all commits
Commits
File filter...
Filter file types
Jump to…
Jump to file or symbol
Failed to load files and symbols.

Always

Just for now

@@ -99,9 +99,9 @@ WebContentsPreferences::WebContentsPreferences(
// Set WebPreferences defaults onto the JS object
SetDefaultBoolIfUndefined(options::kPlugins, false);
SetDefaultBoolIfUndefined(options::kExperimentalFeatures, false);
bool node = SetDefaultBoolIfUndefined(options::kNodeIntegration, true);
SetDefaultBoolIfUndefined(options::kNodeIntegration, false);
SetDefaultBoolIfUndefined(options::kNodeIntegrationInWorker, false);
SetDefaultBoolIfUndefined(options::kWebviewTag, node);
SetDefaultBoolIfUndefined(options::kWebviewTag, false);
SetDefaultBoolIfUndefined(options::kSandbox, false);
SetDefaultBoolIfUndefined(options::kNativeWindowOpen, false);
SetDefaultBoolIfUndefined(options::kContextIsolation, false);

This comment has been minimized.

Copy link
@MarshallOfSound

MarshallOfSound Jan 7, 2019

Member

This default was also deprecated

This comment has been minimized.

Copy link
@miniak

miniak Jan 7, 2019

Author Contributor

@MarshallOfSound I know, this one will be handled in a separate PR.

@@ -18,7 +18,6 @@ exports.load = async (appUrl) => {
backgroundColor: '#FFFFFF',
webPreferences: {
contextIsolation: true,
nodeIntegration: false,
preload: path.resolve(__dirname, 'renderer.js'),
webviewTag: false
},
@@ -20,11 +20,7 @@ win.on('closed', () => {
win = null
})
let view = new BrowserView({
webPreferences: {
nodeIntegration: false
}
})
let view = new BrowserView()
win.setBrowserView(view)
view.setBounds({ x: 0, y: 0, width: 300, height: 300 })
view.webContents.loadURL('https://electronjs.org')
@@ -250,8 +250,8 @@ It creates a new `BrowserWindow` with native properties as set by the `options`.
`new-window-for-tab` event.
* `webPreferences` Object (optional) - Settings of web page's features.
* `devTools` Boolean (optional) - Whether to enable DevTools. If it is set to `false`, can not use `BrowserWindow.webContents.openDevTools()` to open DevTools. Default is `true`.
* `nodeIntegration` Boolean (optional) - Whether node integration is enabled. Default
is `true`.
* `nodeIntegration` Boolean (optional) - Whether node integration is enabled.
Default is `false`.
* `nodeIntegrationInWorker` Boolean (optional) - Whether node integration is
enabled in web workers. Default is `false`. More about this can be found
in [Multithreading](../tutorial/multithreading.md).
@@ -353,7 +353,7 @@ It creates a new `BrowserWindow` with native properties as set by the `options`.
integration disabled. **Note:** This option is currently
experimental.
* `webviewTag` Boolean (optional) - Whether to enable the [`<webview>` tag](webview-tag.md).
Defaults to the value of the `nodeIntegration` option. **Note:** The
Defaults to `false`. **Note:** The
`preload` script configured for the `<webview>` will have node integration
enabled when it is executed so you should ensure remote/untrusted content
is not able to create a `<webview>` tag with a possibly malicious `preload`
@@ -1603,7 +1603,7 @@ removed in future Electron releases.

* `browserView` [BrowserView](browser-view.md). Attach browserView to win.
If there is some other browserViews was attached they will be removed from
this window.
this window.

#### `win.getBrowserView()` _Experimental_

@@ -38,7 +38,7 @@ const parseOption = function (name, defaultValue, converter = value => value) {
}

const contextIsolation = hasSwitch('context-isolation')
let nodeIntegration = hasSwitch('node-integration')
const nodeIntegration = hasSwitch('node-integration')
const webviewTag = hasSwitch('webview-tag')
const isHiddenPage = hasSwitch('hidden-page')
const isBackgroundPage = hasSwitch('background-page')
@@ -64,14 +64,11 @@ if (contextIsolation) {
if (window.location.protocol === 'chrome-devtools:') {
// Override some inspector APIs.
require('@electron/internal/renderer/inspector')
nodeIntegration = false
} else if (window.location.protocol === 'chrome-extension:') {
// Add implementations of chrome API.
require('@electron/internal/renderer/chrome-api').injectTo(window.location.hostname, isBackgroundPage, window)
nodeIntegration = false
} else if (window.location.protocol === 'chrome:') {
// Disable node integration for chrome UI scheme.
nodeIntegration = false
} else {
// Override default web functions.
require('@electron/internal/renderer/window-setup')(ipcRenderer, guestInstanceId, openerId, isHiddenPage, usesNativeWindowOpen)
@@ -32,7 +32,10 @@ describe('electron module', () => {
window = new BrowserWindow({
show: false,
width: 400,
height: 400
height: 400,
webPreferences: {
nodeIntegration: true
}
})
})

@@ -298,7 +301,12 @@ describe('app module', () => {
password: 'electron'
}

w = new BrowserWindow({ show: false })
w = new BrowserWindow({
show: false,
webPreferences: {
nodeIntegration: true
}
})

w.webContents.on('did-finish-load', () => {
expect(w.webContents.getTitle()).to.equal('authorized')
@@ -375,7 +383,12 @@ describe('app module', () => {
expect(webContents).to.equal(w.webContents)
done()
})
w = new BrowserWindow({ show: false })
w = new BrowserWindow({
show: false,
webPreferences: {
nodeIntegration: true
}
})
w.loadURL('about:blank')
w.webContents.executeJavaScript(`require('electron').desktopCapturer.getSources({ types: ['screen'] }, () => {})`)
})
@@ -386,7 +399,12 @@ describe('app module', () => {
expect(moduleName).to.equal('test')
done()
})
w = new BrowserWindow({ show: false })
w = new BrowserWindow({
show: false,
webPreferences: {
nodeIntegration: true
}
})
w.loadURL('about:blank')
w.webContents.executeJavaScript(`require('electron').remote.require('test')`)
})
@@ -397,7 +415,12 @@ describe('app module', () => {
expect(globalName).to.equal('test')
done()
})
w = new BrowserWindow({ show: false })
w = new BrowserWindow({
show: false,
webPreferences: {
nodeIntegration: true
}
})
w.loadURL('about:blank')
w.webContents.executeJavaScript(`require('electron').remote.getGlobal('test')`)
})
@@ -590,6 +613,7 @@ describe('app module', () => {
w = new BrowserWindow({
show: false,
webPreferences: {
nodeIntegration: true,
partition: 'empty-certificate'
}
})
ProTip! Use n and p to navigate between commits in a pull request.
You can’t perform that action at this time.