New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: sandbox renderer processes for cross-origin frames #18650
Conversation
e610c87
to
a148167
Compare
4341891
to
d36007a
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why? What's the potential impact? Why do we need to explicitly do this?
@MarshallOfSound I've added a bit more text to the description
improved security, cross-origin iframes are sandboxed even if the main page is not
there should be no negative effects
because there is no way to explicitly enable sandbox on iframes |
ae37cee
to
5b32443
Compare
5b32443
to
e46e665
Compare
56c1b56
to
b29467f
Compare
cd5e900
to
17888ca
Compare
17888ca
to
cbc2f21
Compare
@MarshallOfSound can you please check again? |
cbc2f21
to
28017d1
Compare
Release Notes Persisted
|
Description of Change
Cross-origin frames, which have a separate renderer process due to site isolation do not have their own
webContents
and therefore use thewebPreferences
of the main frame. WhennodeIntegrationInSubFrames
is not enabled, there is no reason not to sandbox the renderer process as we are not executing any internal JavaScript code or initializing node, which would be impacted by the sandbox.Follow up to #15821
Checklist
npm test
passesRelease Notes
Notes: Renderer processes hosting cross-origin frames are now sandboxed unless the parent
BrowserWindow
enablesnodeIntegrationInSubFrames
.