disable initialization script injection into subframes on macOS (#1251)

* disable injecting init scripts into subframes on macOS * formatting * formatting * formatting
tauri-apps · May 13, 2024 · 4f37661 · 4f37661
1 parent a292398
commit 4f37661
Show file tree

Hide file tree

Showing 3 changed files with 4 additions and 7 deletions.
diff --git a/src/webview/webkitgtk/mod.rs b/src/webview/webkitgtk/mod.rs
@@ -423,9 +423,7 @@ impl InnerWebView {
     if let Some(manager) = self.webview.user_content_manager() {
       let script = UserScript::new(
         js,
-        // FIXME: We allow subframe injection because webview2 does and cannot be disabled (currently).
-        // once webview2 allows disabling all-frame script injection, TopFrame should be set
-        // if it does not break anything. (originally added for isolation pattern).
+        // TODO: feature to allow injecting into subframes
         UserContentInjectedFrames::TopFrame,
         UserScriptInjectionTime::Start,
         &[],

diff --git a/src/webview/webview2/mod.rs b/src/webview/webview2/mod.rs
@@ -798,6 +798,7 @@ window.addEventListener('mousemove', (e) => window.chrome.webview.postMessage('_
     Ok(webview)
   }
 
+  // TODO: feature to allow injecting into (specific) subframes
   fn add_script_to_execute_on_document_created(
     webview: &ICoreWebView2,
     js: String,

diff --git a/src/webview/wkwebview/mod.rs b/src/webview/wkwebview/mod.rs
@@ -898,11 +898,9 @@ r#"Object.defineProperty(window, 'ipc', {
     // [manager addUserScript:[[WKUserScript alloc] initWithSource:[NSString stringWithUTF8String:js.c_str()] injectionTime:WKUserScriptInjectionTimeAtDocumentStart forMainFrameOnly:YES]]
     unsafe {
       let userscript: id = msg_send![class!(WKUserScript), alloc];
+      // TODO: feature to allow injecting into subframes
       let script: id =
-      // FIXME: We allow subframe injection because webview2 does and cannot be disabled (currently).
-      // once webview2 allows disabling all-frame script injection, forMainFrameOnly should be enabled
-      // if it does not break anything. (originally added for isolation pattern).
-        msg_send![userscript, initWithSource:NSString::new(js) injectionTime:0 forMainFrameOnly:0];
+        msg_send![userscript, initWithSource:NSString::new(js) injectionTime:0 forMainFrameOnly:1];
       let _: () = msg_send![self.manager, addUserScript: script];
     }
   }