-
Notifications
You must be signed in to change notification settings - Fork 15.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: add preloadInWorker API #28923
Conversation
💖 Thanks for opening this pull request! 💖 We use semantic commit messages to streamline the release process. Before your pull request can be merged, you should update your pull request title to start with a semantic prefix. Examples of commit messages with semantic prefixes:
Things that will help get your PR across the finish line:
We get a lot of pull requests on this repo, so please be patient and we will get back to you as soon as we can. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
From the document it is unclear how this option works with contextIsolation
, can you make it clear and add related tests?
And I think this option should either respect the contextIsolation
option of the window, or just always run the preload script in isolated context. /cc @electron/wg-api
const preloadScript = parseOption('preload-in-worker'); | ||
|
||
if (nodeIntegration) { | ||
// Export node bindings to global. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This file shares lots of code with lib/renderer/init.ts
, can you move the shared code into a utility function? Like what windowSetup
and webViewInit
do.
@zcbenz It seems that |
The But since this PR is adding
From current implementation, the preload scripts specified by |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Without solving the ctx isolation issue:
This script will always have access to node APIs no matter whether node integration in worker is turned on or off.
is fundamentally a massive security vulnerability that we can't / won't land into this project. Putting a hard block on this pending a proposal for how to deal with ctx isolation
Right now we have an option |
@hamst Thanks for explaining, I see your point now. I'm good with this API, since it is an improvement over |
Would be good to link the issue #28620 to this PR. |
I disagree with this from a security perspective. Previously, enabling Without context isolation this concept of "run a preload next to a worker script" is massively unsafe and IMO isn't something that belongs in core as it is antithetical to our secure-by-default policy |
Description of Change
Add
preloadInWorker
forwebPreferences
inBrowserWindow
to define a script to be loaded first before any other scripts in worker.cc @codebytere
Checklist
npm test
passesRelease Notes
Notes: Added preloadInWorker to define a script to be loaded first before any other scripts in worker.