Disable node on child window when disabled on parent

[kevinsawicki]

If nodeIntegration is disabled on the parent window then disable it on all child windows opened via window.open or in <webview> tags.

This prevents windows without node integration from opening new windows with node integration enabled.

This seems to be an intuitive behavior for this option, if you disable node on a window/webview then all downstream windows will also have node integration disabled preventing content run in those windows from "breaking out" and getting access to node integration via calls to window.open.

Fixes #3943
Fixes #4026

/cc @zeke 🍐

[zeke]

It would be nice to come up with an assertion that's less abstact. I know when we paired we tested the failure case before adding the implementation, but on its own this code gives me very little confidence that the feature actually works.

[kevinsawicki]

👍 I updated the assert to be for a isProcessGlobalUndefined value that is true.

[zeke]

Nice.

[zeke]

Are the builds flaky?

[kevinsawicki]

Are the builds flaky?

Looks like the output was:

[TypeError: Cannot read property 'nodeIntegration' of undefined] 'TypeError: Cannot read property \'nodeIntegration\' of undefined
    at mergeBrowserWindowOptions (/var/lib/jenkins/workspace/electron-linux-x64/out/D/resources/atom.asar/browser/guest-window-manager.js:33:54)
    at EventEmitter.<anonymous> (/var/lib/jenkins/workspace/electron-linux-x64/out/D/resources/atom.asar/browser/guest-window-manager.js:89:13)
    at emitMany (events.js:108:13)
    at EventEmitter.emit (events.js:182:7)
    at EventEmitter.<anonymous> (/var/lib/jenkins/workspace/electron-linux-x64/out/D/resources/atom.asar/browser/api/web-contents.js:136:25)
    at emitTwo (events.js:87:13)
    at EventEmitter.emit (events.js:172:7)

So it looks like there may a case where a browserWindowOptions is missing webPreferences and so this new code is causing a flaky failure.

I'll investigate 🔍

[kevinsawicki]

/cc @wearhere @lukeapage wanted to get your thoughts on this new behavior since you both commented on #3943 and #4026

[kevinsawicki]

@zcbenz any concerns with merging this? 👀

[zcbenz]

👍

[laramies]

@kevinsawicki: I am using Electron 0.37.5 and webviews still can enable nodeintegration even if the parent has nodeintegration disabled. I was expecting this PR to prevent this, right?

[kevinsawicki]

I am using Electron 0.37.5 and webviews still can enable nodeintegration even if the parent has nodeintegration disabled. I was expecting this PR to prevent this, right?

@laramies can you create a new issue with example code for this? Thanks

[laramies]

@kevinsawicki I created #5171 but it was closed by @zcbenz as duplicate. Can you please confirm that it's going to be fixed, please?

[TimNZ]

Does this PR address current security concerns about arbitrary script in remote pages accessing node resources? e.g. can I feel safe now that except for 0 day exploit that webview content cannot doing anything it couldn't do before if nodeintegration is not enabled?

In my quick testing it appears so.