New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
security: allow to block desktopCapturer.getSources() calls #15964
Conversation
1cd375f
to
fe1397e
Compare
The failing Windows tests do not seem to be caused by the changes in this PR, but I'm not sure if they are revealed because of the new tests added by this PR. If it is I would like to fix the failing tests before merging this. |
docs/api/app.md
Outdated
* `webContents` [WebContents](web-contents.md) | ||
|
||
Emitted when `desktopCapturer.getSources()` is called in the renderer process of `webContents`. | ||
Calling `event.preventDefault()` will make it throw an error. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Instead of making this throw an error, can we make it transparent to the caller and return an empty array.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That's what I did initially before pushing the PR and then I though an error is more explicit.
What do others think?
cc @nornagon, @deepak1556, @alexeykuzmin
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It's similar to remote.require()
blocking, the purpose is to prevent malicious use. In which case I think it's better if it blows up on the caller side. Also makes it easier to debug, when you are trying to get rid of these calls to allow the blocking to be enabled.
d07a7e2
to
ce9740f
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I prefer the empty array approach; it's less likely to break things.
ce9740f
to
d947d98
Compare
d947d98
to
b25e4cc
Compare
@zcbenz, tests are not failing, but electron crashes on this
|
|
@deepak1556, @felixrieseberg, @nornagon any ideas what could be wrong? |
The assertion means there is a message window still open when quitting, the code probably need to do some cleanup job for desktopCapturer. |
b25e4cc
to
be02125
Compare
@zcbenz when |
The crash does not seem to be this PR's fault. After looking into the crash, I found that running any I'll fix the root cause of the crash. |
The lint error is not related to this PR, it comes from master branch. |
Release Notes Persisted
|
Description of Change
Allows blocking of
desktopCapturer.getSources()
calls by handling thedesktop-capturer-get-sources
event.Checklist
npm test
passesRelease Notes
Notes: Allowed blocking of
desktopCapturer.getSources()
calls by handling thedesktop-capturer-get-sources
event.