Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: sandbox preloads by default #32869

Merged
merged 24 commits into from Jul 11, 2022
Merged

feat: sandbox preloads by default #32869

Show file tree
Hide file tree
Changes from 17 commits
Commits
Show all changes
24 commits
Select commit Hold shift + click to select a range
5412286
feat: warn that preloads will be sandboxed by default in v20
nornagon Feb 11, 2022
345a572
add a note to breaking changes
nornagon Feb 11, 2022
6899bc9
feat: sandbox preloads by default
nornagon Feb 11, 2022
8321159
Merge branch 'main' into sandbox-by-default
nornagon Mar 28, 2022
1d53756
Merge branch 'main' into sandbox-by-default
nornagon Mar 30, 2022
cd3268d
nodeIntegrationInSubFrames ==> !sandbox
nornagon Mar 30, 2022
0a2d18e
explicitly turn off sandbox in libuv-hang test
nornagon Mar 30, 2022
f1089a4
fix some webview specs
nornagon Mar 30, 2022
76bd4fe
Merge branch 'main' into sandbox-by-default
nornagon Apr 4, 2022
bc21afd
Merge branch 'main' into sandbox-by-default
nornagon Apr 11, 2022
bfb39e7
Merge branch 'main' into sandbox-by-default
nornagon Jun 8, 2022
36a5886
don't disable sandbox for node_integration_in_sub_frames
nornagon Jun 8, 2022
c1cbac1
lint
nornagon Jun 8, 2022
77cf96a
fix: make preload calculation identical between sandbox & non-sandboxed
nornagon Jun 13, 2022
26c88e9
Merge branch 'normalize-preload-loading' into sandbox-by-default
nornagon Jun 13, 2022
f617ad0
fix test
nornagon Jun 13, 2022
21902fc
Merge branch 'normalize-preload-loading' into sandbox-by-default
nornagon Jun 13, 2022
78c8c30
split IPCs
nornagon Jun 14, 2022
a713708
Merge branch 'normalize-preload-loading' into sandbox-by-default
nornagon Jun 14, 2022
e2f39bb
nodeIntegration: true --> sandbox: false
nornagon Jun 14, 2022
87cb9aa
fix ipc constant
nornagon Jun 14, 2022
d065f2b
Merge branch 'normalize-preload-loading' into sandbox-by-default
nornagon Jun 14, 2022
e5a73fd
Merge branch 'main' into sandbox-by-default
nornagon Jun 15, 2022
9f75a06
use webpreferences to set sandbox=no
nornagon Jun 16, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
12 changes: 4 additions & 8 deletions lib/renderer/init.ts
View file
Open in desktop
Expand Up @@ -2,6 +2,7 @@ import * as path from 'path';
import { IPC_MESSAGES } from '@electron/internal/common/ipc-messages';

import type * as ipcRendererInternalModule from '@electron/internal/renderer/ipc-renderer-internal';
import type * as ipcRendererUtilsModule from '@electron/internal/renderer/ipc-renderer-internal-utils';

const Module = require('module');

Expand Down Expand Up @@ -38,6 +39,7 @@ require('../common/reset-search-paths');
require('@electron/internal/common/init');

const { ipcRendererInternal } = require('@electron/internal/renderer/ipc-renderer-internal') as typeof ipcRendererInternalModule;
const ipcRendererUtils = require('@electron/internal/renderer/ipc-renderer-internal-utils') as typeof ipcRendererUtilsModule;

process.getProcessMemoryInfo = () => {
return ipcRendererInternal.invoke<Electron.ProcessMemoryInfo>(IPC_MESSAGES.BROWSER_GET_PROCESS_MEMORY_INFO);
Expand All @@ -48,15 +50,8 @@ const { hasSwitch, getSwitchValue } = process._linkedBinding('electron_common_co
const { mainFrame } = process._linkedBinding('electron_renderer_web_frame');

const nodeIntegration = mainFrame.getWebPreference('nodeIntegration');
const preloadScript = mainFrame.getWebPreference('preload');
const preloadScripts = mainFrame.getWebPreference('preloadScripts');
const appPath = hasSwitch('app-path') ? getSwitchValue('app-path') : null;

// The webContents preload script is loaded after the session preload scripts.
if (preloadScript) {
preloadScripts.push(preloadScript);
}

// Common renderer initialization
require('@electron/internal/renderer/common-init');

Expand Down Expand Up @@ -127,8 +122,9 @@ if (nodeIntegration) {
}
}

const { preloadScripts } = ipcRendererUtils.invokeSync(IPC_MESSAGES.BROWSER_SANDBOX_LOAD);
// Load the preload scripts.
for (const preloadScript of preloadScripts) {
for (const { preloadPath: preloadScript } of preloadScripts) {
try {
Module._load(preloadScript);
} catch (error) {
Expand Down
4 changes: 1 addition & 3 deletions shell/browser/web_contents_preferences.cc
View file
Open in desktop
Expand Up @@ -316,9 +316,7 @@ bool WebContentsPreferences::IsSandboxed() const {
if (sandbox_)
return *sandbox_;
bool sandbox_disabled_by_default =
node_integration_ || node_integration_in_worker_ || preload_path_ ||
!SessionPreferences::GetValidPreloads(web_contents_->GetBrowserContext())
.empty();
node_integration_ || node_integration_in_worker_;
return !sandbox_disabled_by_default;
}

Expand Down
10 changes: 9 additions & 1 deletion spec-main/api-browser-window-spec.ts
View file
Open in desktop
Expand Up @@ -3263,7 +3263,15 @@ describe('BrowserWindow module', () => {
});
w.webContents.setWindowOpenHandler(() => ({
action: 'allow',
overrideBrowserWindowOptions: { show: false, webPreferences: { contextIsolation: false, webviewTag: true, nodeIntegrationInSubFrames: true } }
overrideBrowserWindowOptions: {
show: false,
webPreferences: {
contextIsolation: false,
webviewTag: true,
nodeIntegrationInSubFrames: true,
preload
}
}
}));

const webviewLoaded = emittedOnce(ipcMain, 'webview-loaded');
Expand Down
3 changes: 2 additions & 1 deletion spec-main/fixtures/apps/libuv-hang/main.js
View file
Open in desktop
Expand Up @@ -5,7 +5,8 @@ async function createWindow () {
const mainWindow = new BrowserWindow({
show: false,
webPreferences: {
preload: path.join(__dirname, 'preload.js')
preload: path.join(__dirname, 'preload.js'),
sandbox: false
}
});

Expand Down
4 changes: 4 additions & 0 deletions spec/webview-spec.js
View file
Open in desktop
Expand Up @@ -243,6 +243,7 @@ describe('<webview> tag', function () {
it('preload script can require modules that still use "process" and "Buffer" when nodeintegration is off', async () => {
const message = await startLoadingWebViewAndWaitForMessage(webview, {
preload: `${fixtures}/module/preload-node-off-wrapper.js`,
nodeIntegration: true,
nornagon marked this conversation as resolved.
Show resolved Hide resolved
src: `file://${fixtures}/api/blank.html`
});

Expand Down Expand Up @@ -288,6 +289,7 @@ describe('<webview> tag', function () {
it('works without script tag in page', async () => {
const message = await startLoadingWebViewAndWaitForMessage(webview, {
preload: `${fixtures}/module/preload.js`,
nodeIntegration: true,
src: `file://${fixtures}pages/base-page.html`
});

Expand All @@ -303,6 +305,7 @@ describe('<webview> tag', function () {
it('resolves relative URLs', async () => {
const message = await startLoadingWebViewAndWaitForMessage(webview, {
preload: '../fixtures/module/preload.js',
nodeIntegration: true,
src: `file://${fixtures}/pages/e.html`
});

Expand Down Expand Up @@ -390,6 +393,7 @@ describe('<webview> tag', function () {
const message = await startLoadingWebViewAndWaitForMessage(webview, {
disablewebsecurity: '',
preload: `${fixtures}/module/preload.js`,
nodeIntegration: true,
src: `file://${fixtures}/pages/e.html`
});

Expand Down