chore: make nodeIntegration / webviewTag defaults false

electron · Jan 5, 2019 · 418e63d · 418e63d
1 parent 959c7a7
commit 418e63d
Show file tree

Hide file tree

Showing 23 changed files with 261 additions and 140 deletions.
diff --git a/atom/browser/web_contents_preferences.cc b/atom/browser/web_contents_preferences.cc
@@ -99,9 +99,9 @@ WebContentsPreferences::WebContentsPreferences(
   // Set WebPreferences defaults onto the JS object
   SetDefaultBoolIfUndefined(options::kPlugins, false);
   SetDefaultBoolIfUndefined(options::kExperimentalFeatures, false);
-  bool node = SetDefaultBoolIfUndefined(options::kNodeIntegration, true);
+  SetDefaultBoolIfUndefined(options::kNodeIntegration, false);
   SetDefaultBoolIfUndefined(options::kNodeIntegrationInWorker, false);
-  SetDefaultBoolIfUndefined(options::kWebviewTag, node);
+  SetDefaultBoolIfUndefined(options::kWebviewTag, false);
   SetDefaultBoolIfUndefined(options::kSandbox, false);
   SetDefaultBoolIfUndefined(options::kNativeWindowOpen, false);
   SetDefaultBoolIfUndefined(options::kContextIsolation, false);

diff --git a/default_app/default_app.js b/default_app/default_app.js
@@ -18,7 +18,6 @@ exports.load = async (appUrl) => {
     backgroundColor: '#FFFFFF',
     webPreferences: {
       contextIsolation: true,
-      nodeIntegration: false,
       preload: path.resolve(__dirname, 'renderer.js'),
       webviewTag: false
     },

diff --git a/docs/api/browser-view.md b/docs/api/browser-view.md
@@ -20,11 +20,7 @@ win.on('closed', () => {
   win = null
 })
 
-let view = new BrowserView({
-  webPreferences: {
-    nodeIntegration: false
-  }
-})
+let view = new BrowserView()
 win.setBrowserView(view)
 view.setBounds({ x: 0, y: 0, width: 300, height: 300 })
 view.webContents.loadURL('https://electronjs.org')

diff --git a/docs/api/browser-window.md b/docs/api/browser-window.md
@@ -250,8 +250,8 @@ It creates a new `BrowserWindow` with native properties as set by the `options`.
     `new-window-for-tab` event.
   * `webPreferences` Object (optional) - Settings of web page's features.
     * `devTools` Boolean (optional) - Whether to enable DevTools. If it is set to `false`, can not use `BrowserWindow.webContents.openDevTools()` to open DevTools. Default is `true`.
-    * `nodeIntegration` Boolean (optional) - Whether node integration is enabled. Default
-      is `true`.
+    * `nodeIntegration` Boolean (optional) - Whether node integration is enabled.
+      Default is `false`.
     * `nodeIntegrationInWorker` Boolean (optional) - Whether node integration is
       enabled in web workers. Default is `false`. More about this can be found
       in [Multithreading](../tutorial/multithreading.md).
@@ -353,7 +353,7 @@ It creates a new `BrowserWindow` with native properties as set by the `options`.
       integration disabled. **Note:** This option is currently
       experimental.
     * `webviewTag` Boolean (optional) - Whether to enable the [`<webview>` tag](webview-tag.md).
-      Defaults to the value of the `nodeIntegration` option. **Note:** The
+      Defaults to `false`. **Note:** The
       `preload` script configured for the `<webview>` will have node integration
       enabled when it is executed so you should ensure remote/untrusted content
       is not able to create a `<webview>` tag with a possibly malicious `preload`
@@ -1603,7 +1603,7 @@ removed in future Electron releases.
 
 * `browserView` [BrowserView](browser-view.md). Attach browserView to win.
 If there is some other browserViews was attached they will be removed from
-this window.  
+this window.
 
 #### `win.getBrowserView()` _Experimental_
 

diff --git a/lib/renderer/init.js b/lib/renderer/init.js
@@ -38,7 +38,7 @@ const parseOption = function (name, defaultValue, converter = value => value) {
 }
 
 const contextIsolation = hasSwitch('context-isolation')
-let nodeIntegration = hasSwitch('node-integration')
+const nodeIntegration = hasSwitch('node-integration')
 const webviewTag = hasSwitch('webview-tag')
 const isHiddenPage = hasSwitch('hidden-page')
 const isBackgroundPage = hasSwitch('background-page')
@@ -64,14 +64,11 @@ if (contextIsolation) {
 if (window.location.protocol === 'chrome-devtools:') {
   // Override some inspector APIs.
   require('@electron/internal/renderer/inspector')
-  nodeIntegration = false
 } else if (window.location.protocol === 'chrome-extension:') {
   // Add implementations of chrome API.
   require('@electron/internal/renderer/chrome-api').injectTo(window.location.hostname, isBackgroundPage, window)
-  nodeIntegration = false
 } else if (window.location.protocol === 'chrome:') {
   // Disable node integration for chrome UI scheme.
-  nodeIntegration = false
 } else {
   // Override default web functions.
   require('@electron/internal/renderer/window-setup')(ipcRenderer, guestInstanceId, openerId, isHiddenPage, usesNativeWindowOpen)

diff --git a/spec/api-app-spec.js b/spec/api-app-spec.js
@@ -32,7 +32,10 @@ describe('electron module', () => {
       window = new BrowserWindow({
         show: false,
         width: 400,
-        height: 400
+        height: 400,
+        webPreferences: {
+          nodeIntegration: true
+        }
       })
     })
 
@@ -298,7 +301,12 @@ describe('app module', () => {
         password: 'electron'
       }
 
-      w = new BrowserWindow({ show: false })
+      w = new BrowserWindow({
+        show: false,
+        webPreferences: {
+          nodeIntegration: true
+        }
+      })
 
       w.webContents.on('did-finish-load', () => {
         expect(w.webContents.getTitle()).to.equal('authorized')
@@ -375,7 +383,12 @@ describe('app module', () => {
         expect(webContents).to.equal(w.webContents)
         done()
       })
-      w = new BrowserWindow({ show: false })
+      w = new BrowserWindow({
+        show: false,
+        webPreferences: {
+          nodeIntegration: true
+        }
+      })
       w.loadURL('about:blank')
       w.webContents.executeJavaScript(`require('electron').desktopCapturer.getSources({ types: ['screen'] }, () => {})`)
     })
@@ -386,7 +399,12 @@ describe('app module', () => {
         expect(moduleName).to.equal('test')
         done()
       })
-      w = new BrowserWindow({ show: false })
+      w = new BrowserWindow({
+        show: false,
+        webPreferences: {
+          nodeIntegration: true
+        }
+      })
       w.loadURL('about:blank')
       w.webContents.executeJavaScript(`require('electron').remote.require('test')`)
     })
@@ -397,7 +415,12 @@ describe('app module', () => {
         expect(globalName).to.equal('test')
         done()
       })
-      w = new BrowserWindow({ show: false })
+      w = new BrowserWindow({
+        show: false,
+        webPreferences: {
+          nodeIntegration: true
+        }
+      })
       w.loadURL('about:blank')
       w.webContents.executeJavaScript(`require('electron').remote.getGlobal('test')`)
     })
@@ -590,6 +613,7 @@ describe('app module', () => {
       w = new BrowserWindow({
         show: false,
         webPreferences: {
+          nodeIntegration: true,
           partition: 'empty-certificate'
         }
       })