Allow enabling <webview> tag with node integration disabled #9397
Conversation
… and raising events - Enabling creation on webview with node-integration disabled and raising events Conflicts: lib/browser/guest-view-manager.js
|
@juturu Can you explain the reasoning behind this, it seems very unsafe to me to have this option. |
|
@MarshallOfSound it is to enable the scenarios explained in #2749 (comment) & Added events which can help clear the preload scripts in webview. By default electron having this security feature enabled. If developer is willing to override it and knows the risk then i feel adding this flexibility will make it easier for folks doing workarounds to achieve similar result. @chandrachivukula @laramies to pitch in (if required). |
|
@juturu I have concerns that this is making doing a bad thing far too easy.
These two are not necessarily mutually inclusive, lot's of people don't read the security guidelines for Electron (I see so many people loading remote content with nodeIntegration enabled for instance) and giving people a simple boolean option to do this makes it way to easy for them to expose their users to a multitude of exploits. There is already a way to achieve what this option does but it requires a much greater understanding from the developer as to what they are actually doing.
Now you have the WebView element and no node environment, but it's a much more definitive as to what you are actually doing. Interested in feedback from others RE the user safety issues raised above @electron/maintainers |
|
@MarshallOfSound good point on the security concerns you raised. Here are couple of things i think we can do to make this flag more secure.
Does making the boolean something like |
docs/api/web-contents.md
Outdated
| @@ -218,6 +218,17 @@ When in-page navigation happens, the page URL changes but does not cause | |||
| navigation outside of the page. Examples of this occurring are when anchor links | |||
| are clicked or when the DOM `hashchange` event is triggered. | |||
|
|
|||
| #### Event: 'will-create-webview' | |||
There was a problem hiding this comment.
We already have will-attach-webview, could that be used instead?
https://electron.atom.io/docs/api/web-contents/#event-will-attach-webview
That would make it a lot more clear yes 👍
Not sure what the use case is for a webview without nodeInegration in the parent but IMO if the parent doesn't have nodeIntegration then the webview shouldn't have a preload script OR the option to enable nodeIntegration. It should have no way to access node API's if the parent can't |
| @@ -406,6 +406,9 @@ void WebContents::InitWithSessionAndOptions(v8::Isolate* isolate, | |||
|
|
|||
| Init(isolate); | |||
| AttachAsUserData(web_contents); | |||
|
|
|||
| if (IsGuest()) | |||
| Emit("did-create-webview"); | |||
There was a problem hiding this comment.
Do we still need this? We have web-contents-created that is emitted for each webContents and webContents.getType() to know which type was created.
docs/api/browser-window.md
Outdated
| * `overrideWebViewSecurity` Boolean (optional) - Whether to enable [webview-tag](webview-tag.md) | ||
| ignoring the security restriction based on `nodeIntegration`. Enabling this option will | ||
| have security implication on creating `webview` with `nodeIntegration` disabled. To avoid the | ||
| security risk, listen to `will-create-webview` event on [web-contents](web-contents.md) and |
There was a problem hiding this comment.
will-create-webview is no longer here so this line needs to be updated.
kevinsawicki
changed the title
I've updated this pull request to switch it to be called I've also made it so opened windows will have the
I've updated the security guide and other docs to mention how I'm open to going further and preventing them completely in this case but for remote content that runs a bit of local content, they seem easier to use than having the window do a |
So if we go with an option that simply enables or disables it, like |
|
Thanks for this @juturu 👍 |
|
Thanks @kevinsawicki 🙇 |
No description provided.