fix: <webview> not working in scriptable popups

[miniak]

Description of Change

In this PR #15859 I've added a check to prevent <webview> related IPCs from being handled when webviewTag is not enabled for the given sender to increase security. It relies on getLastWebPreferences():

electron/lib/browser/guest-view-manager.js

Lines 319 to 326 in 692df80

	const isWebViewTagEnabled = function (contents) {
	if (!isWebViewTagEnabledCache.has(contents)) {
	const webPreferences = contents.getLastWebPreferences() || {}
	isWebViewTagEnabledCache.set(contents, !!webPreferences.webviewTag)
	}
	return isWebViewTagEnabledCache.get(contents)
	}

When a scriptable popup is created, Chromium creates the webContents and Electron migrates the webPreferences

electron/shell/browser/api/atom_api_browser_window.cc

Lines 51 to 66 in 692df80

	if (options.Get("webContents", &web_contents) && !web_contents.IsEmpty()) {
	// Set webPreferences from options if using an existing webContents.
	// These preferences will be used when the webContent launches new
	// render processes.
	auto* existing_preferences =
	WebContentsPreferences::From(web_contents->web_contents());
	base::DictionaryValue web_preferences_dict;
	if (mate::ConvertFromV8(isolate, web_preferences.GetHandle(),
	&web_preferences_dict)) {
	existing_preferences->Clear();
	existing_preferences->Merge(web_preferences_dict);
	}
	} else {
	// Creates the WebContents used by BrowserWindow.
	web_contents = WebContents::Create(isolate, web_preferences);
	}

The webPreferences are cloned to be returned by getLastWebPreferences() in the constructor of WebContentsPreferences. However Clear and Merge are called afterwards.

electron/shell/browser/web_contents_preferences.cc

Line 169 in 692df80

last_preference_ = preference_.Clone();

In case of cross-origin popup a new renderer process is created and the webPreferences are turned into command-line switches in WebContentsPreferences::AppendCommandLineSwitches(), which also clones them again (after the Merge).

electron/shell/browser/web_contents_preferences.cc

Lines 418 to 421 in 692df80

	// We are appending args to a webContents so let's save the current state
	// of our preferences object so that during the lifetime of the WebContents
	// we can fetch the options used to initally configure the WebContents
	last_preference_ = preference_.Clone();

The problem is that in case of scriptable popup, the existing renderer process is reused. Therefore WebContentsPreferences::AppendCommandLineSwitches() is not called and the webPreferences are not cloned after the merge. Which means that getLastWebPreferences() returns incorrect values (with webviewTag disabled).

This PR fixes the <webview> issue by making sure that getLastWebPreferences() returns correct values by cloning the webPreferences after the merge.

Checklist

• PR description included and stakeholders cc'd
• npm test passes
• tests are changed or added
• PR title follows semantic commit guidelines
• PR release notes describe the change in a way relevant to app developers, and are capitalized, punctuated, and past tense.

Release Notes

Notes: Fixed <webview> not working in scriptable popups when nativeWindowOpen is enabled.

[trop]

A maintainer has manually backported this PR to "5-0-x", please check out #19206

[deepak1556]

Scary bug, nice find!

[release-clerk]

Release Notes Persisted

Fixed <webview> not working in scriptable popups when nativeWindowOpen is enabled.

[trop]

I have automatically backported this PR to "6-0-x", please check out #19218