Join GitHub today
GitHub is home to over 40 million developers working together to host and review code, manage projects, and build software together.Sign up
fix: disable nodeIntegration & insecure resource warnings for localhost #18814
Description of Change
This PR removes the "node integration with remote content" and "loading insecure content" warning messages when loading from localhost.
A lot of electron projects use webpack-dev-server for development, which involves "remote" content being loaded over an insecure connection from localhost, resulting in at least two warning messages in the console.
The warning messages are annoying and they confuse people. Worst, they can actually be counterproductive as people are resorting to disabling the security check just to get rid of the warnings, which means they won't see them when it really matters.
Note: I explicitly chose not to test against
Notes: "Node integration with remote content" and "loading insecure content" warning messages are suppressed for localhost connections.
We use semantic commit messages to streamline the release process. Before your pull request can be merged, you should update your pull request title to start with a semantic prefix.
Examples of commit messages with semantic prefixes:
Things that will help get your PR across the finish line:
We get a lot of pull requests on this repo, so please be patient and we will get back to you as soon as we can.
Looks like the tests are failing.
"Node integration with remote content" is failing because it's waiting for a console message that never comes (since it's suppressed). I'm not sure how to test this but here are some ideas:
"Loading insecure resources" is failing because the resource that's being loaded (which is correctly filtered) is loading a stylesheet from
For the "node integration with remote content" test, I opted in for using
For the "Loading insecure resources" test, I modified the test to check that the resource it's loading from localhost is not included in the warning message.
In warnAboutNodeWithRemoteContent(), add a check to see if the hostname is "localhost" and prevent the warning message if it is.
In warnAboutInsecureResources(), filter out resources from localhost since they are most likely not a threat.
Add tests for ignoring warning messages for the following scenarios: 1. node integration with remote content from localhost 2. loading insecure resources from localhost
Instead of relying on the "did-finish-load" event, which may result in a race condition, add an "onload" handler that logs "loaded" to the console. This will execute _after_ the nodeIntegration check, so it can be safely used as a signal to indicate that the test is done.
MarshallOfSound left a comment
The only case this will stop warning about but is still valid is folks creating a localhost server to serve content in production. But that's a separate problem that this warning isn't attempting to prevent so