New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Feature request: nodeIntegrationInSubFrames for preload scripts #22582
Comments
I second this, albeit I'm not using webviews (BrowserView). The documentation for TLDR: We need an option to enable |
The PR that added support for https://github.com/electron/electron/pull/16425/files#diff-2d7b7c752f838654945dc8366c5f20ab which is still the case Lines 214 to 218 in 5d657de
This means there is currently no warning when using I don't know if there is a technical limitation, but you can see that the PR was mixing these two concerns (nodeIntegration vs enabling preload). bool should_load_preload =
is_main_frame || is_devtools || allow_node_in_sub_frames; https://github.com/electron/electron/pull/16425/files#diff-2908f2d45ca07c2f0b1f2c8404928a34 A new option like Edit: arguably adding an option |
+1 |
When looking at the code changes within the PR (#16425) in which support for enabling preload scripts within iframes were added I think that the issue might be an ill named switch. It sounds like If that is the case it’s reasonable that the security warning is only shown for the main frame since all frames use the same switch for enabling/disabling I might have missed something so it would be good if someone with a deeper understanding could confirm this, like @MarshallOfSound |
@andreasdj It does, here's a fiddle https://gist.github.com/Prinzhorn/233b4ca1ddbfd8a80ad3aa86200a14b7 The good news is that However, if you both are enabled you get Node.js integration in every frame including other origins you don't control. true + false (iframe doesn't render the stuff that requires Node.js integration) true + true (the iframe has Node.js integration, I even tested it with index.html served from a server with a completely different origin) So again, Edit: I've updated the fiddle to use |
To be more specific I don't think the I think the But it is possible to disable nodeIntegration for all frames and still enable preload script functionality for sub frames (with nodeIntegration disabled) using:
This is where it starts to look really confusing and implies that we have enabled node integration in sub frames when we actually have not. That's the reason I think nodeIntegrationInSubFrames is named wrong and is mixing concerns as you have mentioned earlier, since it doesn't control nodeIntegration on it's own. |
Look at my first screenshot. The iframe does not have Node.js integration. I was just demonstrating with the other fiddle that for same-origin frames it is identical from a security perspective because you can still access Node.js APIs via the parent frame. But I think we all agree (and this conversation confirms) that the current situation is confusing, if not dangerous. |
So for my project I was simply looking for a way to run any kind of code/preload on iframes that are INSIDE of webviews and I found the nodeIntegrationInSubFrames option. I couldn't get it to work in combination with webviews, because of this PR which for some reason considered the documented feature a bug. The docs explicitly mention that this is actually a feature, and still list it as one. Even worse, to even get all of this to work in the first place (if that inconsistent PR wasn't accepted) you would STILL need Although I wasn't too clear in my initial report, I completely agree with @Prinzhorn in that we need a different way to use preloads in subframes WITHOUT requiring |
We also need this for our project. An option like |
Bump! |
It seems that setting nodeIntegrationInSubFrames in the web preferences of both the WebView and the BrowserWindow enables the preload script for iframes within the webview. See https://gist.github.com/ad93987ddd6b1e40f94f11fa421578b6 |
Preflight Checklist
Problem Description
I want the preload script of a webview to run in ALL subframes of that webview, such as iframes, so that I can detect anchor tags within these subframes. This is required to fix this issue for one of my projects.
Correct me if I am wrong, but it would seem that this was possibly before, but it was considered a bug: #18429
The purpose of the
nodeIntegrationInSubFrames
is now ill-defined, and does not do what it says it does regarding the preload script, at least according to my interpretation of the documentation:Proposed Solution
I would like restore this behavior for preload scripts, possibly with a separate setting to enable it. If there is any existing way to run preload scripts for iframes that are inside a webview, please enlighten me, because I have not found any other way to achieve this.
Alternatives Considered
I have tried to run my preload script for iframes inside webview, by enabling
nodeIntegrationInSubFrames
, but so far without success. After I discovered #18429, I decided it was time to open a feature request in order to resolve this confusing situation.Additional Information
I would like to answer this question once and for all, because the documentation is now inconsistent with the actual behavior. It would seem that I am not the only one who is confused by this change:
#19260 (comment)
The text was updated successfully, but these errors were encountered: