Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore: disable nodeIntegration / webviewTag by default #16235

Merged
merged 1 commit into from Jan 7, 2019
Merged

chore: disable nodeIntegration / webviewTag by default #16235

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
4 changes: 2 additions & 2 deletions atom/browser/web_contents_preferences.cc
View file
Open in desktop
Expand Up @@ -99,9 +99,9 @@ WebContentsPreferences::WebContentsPreferences(
// Set WebPreferences defaults onto the JS object
SetDefaultBoolIfUndefined(options::kPlugins, false);
SetDefaultBoolIfUndefined(options::kExperimentalFeatures, false);
bool node = SetDefaultBoolIfUndefined(options::kNodeIntegration, true);
SetDefaultBoolIfUndefined(options::kNodeIntegration, false);
SetDefaultBoolIfUndefined(options::kNodeIntegrationInWorker, false);
SetDefaultBoolIfUndefined(options::kWebviewTag, node);
SetDefaultBoolIfUndefined(options::kWebviewTag, false);
SetDefaultBoolIfUndefined(options::kSandbox, false);
SetDefaultBoolIfUndefined(options::kNativeWindowOpen, false);
SetDefaultBoolIfUndefined(options::kContextIsolation, false);
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This default was also deprecated

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@MarshallOfSound I know, this one will be handled in a separate PR.

Expand Down
1 change: 0 additions & 1 deletion default_app/default_app.js
View file
Open in desktop
Expand Up @@ -18,7 +18,6 @@ exports.load = async (appUrl) => {
backgroundColor: '#FFFFFF',
webPreferences: {
contextIsolation: true,
nodeIntegration: false,
preload: path.resolve(__dirname, 'renderer.js'),
webviewTag: false
},
Expand Down
6 changes: 1 addition & 5 deletions docs/api/browser-view.md
View file
Open in desktop
Expand Up @@ -20,11 +20,7 @@ win.on('closed', () => {
win = null
})

let view = new BrowserView({
webPreferences: {
nodeIntegration: false
}
})
let view = new BrowserView()
win.setBrowserView(view)
view.setBounds({ x: 0, y: 0, width: 300, height: 300 })
view.webContents.loadURL('https://electronjs.org')
Expand Down
8 changes: 4 additions & 4 deletions docs/api/browser-window.md
View file
Open in desktop
Expand Up @@ -250,8 +250,8 @@ It creates a new `BrowserWindow` with native properties as set by the `options`.
`new-window-for-tab` event.
* `webPreferences` Object (optional) - Settings of web page's features.
* `devTools` Boolean (optional) - Whether to enable DevTools. If it is set to `false`, can not use `BrowserWindow.webContents.openDevTools()` to open DevTools. Default is `true`.
* `nodeIntegration` Boolean (optional) - Whether node integration is enabled. Default
is `true`.
* `nodeIntegration` Boolean (optional) - Whether node integration is enabled.
Default is `false`.
* `nodeIntegrationInWorker` Boolean (optional) - Whether node integration is
enabled in web workers. Default is `false`. More about this can be found
in [Multithreading](../tutorial/multithreading.md).
Expand Down Expand Up @@ -353,7 +353,7 @@ It creates a new `BrowserWindow` with native properties as set by the `options`.
integration disabled. **Note:** This option is currently
experimental.
* `webviewTag` Boolean (optional) - Whether to enable the [`<webview>` tag](webview-tag.md).
Defaults to the value of the `nodeIntegration` option. **Note:** The
Defaults to `false`. **Note:** The
`preload` script configured for the `<webview>` will have node integration
enabled when it is executed so you should ensure remote/untrusted content
is not able to create a `<webview>` tag with a possibly malicious `preload`
Expand Down Expand Up @@ -1603,7 +1603,7 @@ removed in future Electron releases.

* `browserView` [BrowserView](browser-view.md). Attach browserView to win.
If there is some other browserViews was attached they will be removed from
this window.
this window.

#### `win.getBrowserView()` _Experimental_

Expand Down
5 changes: 1 addition & 4 deletions lib/renderer/init.js
View file
Open in desktop
Expand Up @@ -38,7 +38,7 @@ const parseOption = function (name, defaultValue, converter = value => value) {
}

const contextIsolation = hasSwitch('context-isolation')
let nodeIntegration = hasSwitch('node-integration')
const nodeIntegration = hasSwitch('node-integration')
const webviewTag = hasSwitch('webview-tag')
const isHiddenPage = hasSwitch('hidden-page')
const isBackgroundPage = hasSwitch('background-page')
Expand All @@ -64,14 +64,11 @@ if (contextIsolation) {
if (window.location.protocol === 'chrome-devtools:') {
// Override some inspector APIs.
require('@electron/internal/renderer/inspector')
nodeIntegration = false
} else if (window.location.protocol === 'chrome-extension:') {
// Add implementations of chrome API.
require('@electron/internal/renderer/chrome-api').injectTo(window.location.hostname, isBackgroundPage, window)
nodeIntegration = false
} else if (window.location.protocol === 'chrome:') {
// Disable node integration for chrome UI scheme.
nodeIntegration = false
} else {
// Override default web functions.
require('@electron/internal/renderer/window-setup')(ipcRenderer, guestInstanceId, openerId, isHiddenPage, usesNativeWindowOpen)
Expand Down
34 changes: 29 additions & 5 deletions spec/api-app-spec.js
View file
Open in desktop
Expand Up @@ -32,7 +32,10 @@ describe('electron module', () => {
window = new BrowserWindow({
show: false,
width: 400,
height: 400
height: 400,
webPreferences: {
nodeIntegration: true
}
})
})

Expand Down Expand Up @@ -298,7 +301,12 @@ describe('app module', () => {
password: 'electron'
}

w = new BrowserWindow({ show: false })
w = new BrowserWindow({
show: false,
webPreferences: {
nodeIntegration: true
}
})

w.webContents.on('did-finish-load', () => {
expect(w.webContents.getTitle()).to.equal('authorized')
Expand Down Expand Up @@ -375,7 +383,12 @@ describe('app module', () => {
expect(webContents).to.equal(w.webContents)
done()
})
w = new BrowserWindow({ show: false })
w = new BrowserWindow({
show: false,
webPreferences: {
nodeIntegration: true
}
})
w.loadURL('about:blank')
w.webContents.executeJavaScript(`require('electron').desktopCapturer.getSources({ types: ['screen'] }, () => {})`)
})
Expand All @@ -386,7 +399,12 @@ describe('app module', () => {
expect(moduleName).to.equal('test')
done()
})
w = new BrowserWindow({ show: false })
w = new BrowserWindow({
show: false,
webPreferences: {
nodeIntegration: true
}
})
w.loadURL('about:blank')
w.webContents.executeJavaScript(`require('electron').remote.require('test')`)
})
Expand All @@ -397,7 +415,12 @@ describe('app module', () => {
expect(globalName).to.equal('test')
done()
})
w = new BrowserWindow({ show: false })
w = new BrowserWindow({
show: false,
webPreferences: {
nodeIntegration: true
}
})
w.loadURL('about:blank')
w.webContents.executeJavaScript(`require('electron').remote.getGlobal('test')`)
})
Expand Down Expand Up @@ -590,6 +613,7 @@ describe('app module', () => {
w = new BrowserWindow({
show: false,
webPreferences: {
nodeIntegration: true,
partition: 'empty-certificate'
}
})
Expand Down