feat: add worldSafe flag for executeJS results #24114
Conversation
MarshallOfSound
force-pushed
the
world-safe-execute-js
branch
from
49f8c7c
to
3e2502a
Compare
Co-authored-by: Jeremy Rose <jeremya@chromium.org>
MarshallOfSound
force-pushed
the
world-safe-execute-js
branch
from
7e8bb51
to
9615819
Compare
| * `worldSafeExecuteJavaScript` Boolean (optional) - If true, values returned from `webFrame.executeJavaScript` will be sanitized to ensure JS values | ||
| can't unsafely cross between worlds when using `contextIsolation`. The default | ||
| is `false`. In Electron 12, the default will be changed to `true`. _Deprecated_ |
There was a problem hiding this comment.
I wonder if this might be a good test case for the base::Feature-based stuff we've been talking about in api-wg?
There was a problem hiding this comment.
Maybe, but I don't super want to figure out that system / pioneer it in this PR
There was a problem hiding this comment.
Someone's gotta be the first :\
|
Release Notes Persisted
|
|
I was unable to backport this PR to "8-x-y" cleanly; |
|
I have automatically backported this PR to "10-x-y", please check out #24711 |
|
I have automatically backported this PR to "9-x-y", please check out #24712 |
<electron/electron#24114> "Previously the return values of webFrame.executeJavaScript crossed the world boundary when context isolation was enabled. This allows apps to makes themselves insecure by accidentally sending objects from the isolated world back to the main world. To help devs avoid this we're adding this new flag, and this flag will be turned on by default in Electron 12 (and removed) ensuring that this kind of issue can't become a thing again. This PR is also requesting new minors of 8 and 9 馃槃 Notes: Added new worldSafeExecuteJavaScript webPreference to ensure that the return values from webFrame.executeJavaScript are world safe when context isolation is enabled"
<electron/electron#24114> "Previously the return values of webFrame.executeJavaScript crossed the world boundary when context isolation was enabled. This allows apps to makes themselves insecure by accidentally sending objects from the isolated world back to the main world. To help devs avoid this we're adding this new flag, and this flag will be turned on by default in Electron 12 (and removed) ensuring that this kind of issue can't become a thing again. This PR is also requesting new minors of 8 and 9 馃槃 Notes: Added new worldSafeExecuteJavaScript webPreference to ensure that the return values from webFrame.executeJavaScript are world safe when context isolation is enabled"
|
Please don't remove the option. I have code the defines (and returns) anon functions in the main world. That's not even hypothetically unsafe. Also code that returns other main world objects (e.g. window). The 'window' property is unwritable and unconfigurable, so that's also not unsafe, you're always get the expected window even in untrusted content. It's reasonable for this raw access be restricted by default, but the EIC should retain it optionally, it can be safe, especially if the content is trusted. If contextIsolation can be disabled and nodeIntegration enabled, security is clearly ultimately up to the dev, it can't be forced like this. |
|
Could we please have some discussion about the planned removal of worldSafeExecuteJavaScript. I have code that depends on it. Retrieves the main world window. Defines anon functions for later execution. I have no issue with maximally secure defaults, but there shouldn't be a need to completely block this, breaking working code, forcing redesigns. . This can be used safely, judiciously. Considering security can be disabled completely, it's not unreasonable to optionally allow EIC to retrieve content world objects. Please don't remove the choice. |
| @@ -348,6 +348,9 @@ It creates a new `BrowserWindow` with native properties as set by the `options`. | |||
| You can access this context in the dev tools by selecting the | |||
| 'Electron Isolated Context' entry in the combo box at the top of the | |||
| Console tab. | |||
| * `worldSafeExecuteJavaScript` Boolean (optional) - If true, values returned from `webFrame.executeJavaScript` will be sanitized to ensure JS values | |||
| can't unsafely cross between worlds when using `contextIsolation`. The default | |||
| is `false`. In Electron 12, the default will be changed to `true`. _Deprecated_ | |||
There was a problem hiding this comment.
@MarshallOfSound Why is this marked Deprecated? I turned this on to prepare for Electron 12, but my code reviewer was confused why I'm using a deprecated option. Presumably false is deprecated, but I think we should be explicit about it.
There was a problem hiding this comment.
@poiru This option is a migration feature, it's kinda weird and you're right we should probably document it better. The flow here will be
- Add this option
- Change default of this option
- Deprecate this option in code
- Remove this option
We aren't going to leave this flag around forever / for long at all
Previously the return values of
webFrame.executeJavaScriptcrossed the world boundary when context isolation was enabled. This allows apps to makes themselves insecure by accidentally sending objects from the isolated world back to the main world. To help devs avoid this we're adding this new flag, and this flag will be turned on by default in Electron 12 (and removed) ensuring that this kind of issue can't become a thing again.This PR is also requesting new minors of 8 and 9 馃槃
Notes: Added new
worldSafeExecuteJavaScriptwebPreference to ensure that the return values fromwebFrame.executeJavaScriptare world safe when context isolation is enabled