electron/spec/security-warnings-spec.js

const assert = require('assert')
const http = require('http')
const fs = require('fs')
const path = require('path')
const url = require('url')

const {remote} = require('electron')
const {BrowserWindow} = remote

const {closeWindow} = require('./window-helpers')

describe('security warnings', () => {
  let server
  let w = null
  let useCsp = true

  before(() => {
    // Create HTTP Server
    server = http.createServer((request, response) => {
      const uri = url.parse(request.url).pathname
      let filename = path.join(__dirname, './fixtures/pages', uri)

      fs.stat(filename, (error, stats) => {
        if (error) {
          response.writeHead(404, { 'Content-Type': 'text/plain' })
          response.end()
          return
        }

        if (stats.isDirectory()) {
          filename += '/index.html'
        }

        fs.readFile(filename, 'binary', (err, file) => {
          if (err) {
            response.writeHead(404, { 'Content-Type': 'text/plain' })
            response.end()
            return
          }

          const cspHeaders = { 'Content-Security-Policy': `script-src 'self' 'unsafe-inline'` }
          response.writeHead(200, useCsp ? cspHeaders : undefined)
          response.write(file, 'binary')
          response.end()
        })
      })
    }).listen(8881)
  })

  after(() => {
    // Close server
    server.close()
    server = null
  })

  afterEach(() => {
    closeWindow(w).then(() => { w = null })

    useCsp = true
  })

  it('should warn about Node.js integration with remote content', (done) => {
    w = new BrowserWindow({ show: false })
    w.webContents.on('console-message', (e, level, message) => {
      assert(message.includes('Node.js Integration with Remote Content'))
      done()
    })

    w.loadURL(`http://127.0.0.1:8881/base-page-security.html`)
  })

  it('should warn about disabled webSecurity', (done) => {
    w = new BrowserWindow({
      show: false,
      webPreferences: {
        webSecurity: false,
        nodeIntegration: false
      }
    })
    w.webContents.on('console-message', (e, level, message) => {
      assert(message.includes('Disabled webSecurity'))
      done()
    })

    w.loadURL(`http://127.0.0.1:8881/base-page-security.html`)
  })

  it('should warn about insecure Content-Security-Policy', (done) => {
    w = new BrowserWindow({
      show: false,
      webPreferences: {
        nodeIntegration: false
      }
    })

    w.webContents.on('console-message', (e, level, message) => {
      assert(message.includes('Insecure Content-Security-Policy'))
      done()
    })

    useCsp = false
    w.loadURL(`http://127.0.0.1:8881/base-page-security.html`)
  })

  it('should warn about allowRunningInsecureContent', (done) => {
    w = new BrowserWindow({
      show: false,
      webPreferences: {
        allowRunningInsecureContent: true,
        nodeIntegration: false
      }
    })
    w.webContents.on('console-message', (e, level, message) => {
      assert(message.includes('allowRunningInsecureContent'))
      done()
    })

    w.loadURL(`http://127.0.0.1:8881/base-page-security.html`)
  })

  it('should warn about experimentalFeatures', (done) => {
    w = new BrowserWindow({
      show: false,
      webPreferences: {
        experimentalFeatures: true,
        nodeIntegration: false
      }
    })
    w.webContents.on('console-message', (e, level, message) => {
      assert(message.includes('experimentalFeatures'))
      done()
    })

    w.loadURL(`http://127.0.0.1:8881/base-page-security.html`)
  })

  it('should warn about blinkFeatures', (done) => {
    w = new BrowserWindow({
      show: false,
      webPreferences: {
        blinkFeatures: ['my-cool-feature'],
        nodeIntegration: false
      }
    })
    w.webContents.on('console-message', (e, level, message) => {
      assert(message.includes('blinkFeatures'))
      done()
    })

    w.loadURL(`http://127.0.0.1:8881/base-page-security.html`)
  })

  it('should warn about allowpopups', (done) => {
    w = new BrowserWindow({
      show: false,
      webPreferences: {
        nodeIntegration: false
      }
    })
    w.webContents.on('console-message', (e, level, message) => {
      console.log(message)
      assert(message.includes('allowpopups'))
      done()
    })

    w.loadURL(`http://127.0.0.1:8881/webview-allowpopups.html`)
  })

  it('should warn about insecure resources', (done) => {
    w = new BrowserWindow({
      show: true,
      webPreferences: {
        nodeIntegration: false
      }
    })
    w.webContents.on('console-message', (e, level, message) => {
      console.log(message)
      assert(message.includes('Insecure Resources'))
      done()
    })

    w.loadURL(`http://127.0.0.1:8881/insecure-resources.html`)
    w.webContents.openDevTools()
  })
})
feature: Hot security tips (#11810) * :wrench: Add security issue detection (and logs) * :wrench: Check for it on load * :construction_worker: Add some tests * :construction_worker: Make the linter happy * :wrench: Allow them to be enabled by force * :memo: Make message slightly prettier * :wrench: Fix a typo in the code comment * :wrench: Classic mistake * :rocket: Optimize things a bit more * :construction_worker: Add tests, fix tests * :memo: Document things * :wrench: Make linter happy * :wrench: One more piece of cleanup 2018-02-03 14:50:12 +00:00			`const assert = require('assert')`
			`const http = require('http')`
			`const fs = require('fs')`
			`const path = require('path')`
			`const url = require('url')`

			`const {remote} = require('electron')`
			`const {BrowserWindow} = remote`

			`const {closeWindow} = require('./window-helpers')`

			`describe('security warnings', () => {`
			`let server`
			`let w = null`
			`let useCsp = true`

			`before(() => {`
			`// Create HTTP Server`
			`server = http.createServer((request, response) => {`
			`const uri = url.parse(request.url).pathname`
			`let filename = path.join(__dirname, './fixtures/pages', uri)`

			`fs.stat(filename, (error, stats) => {`
			`if (error) {`
			`response.writeHead(404, { 'Content-Type': 'text/plain' })`
			`response.end()`
			`return`
			`}`

			`if (stats.isDirectory()) {`
			`filename += '/index.html'`
			`}`

			`fs.readFile(filename, 'binary', (err, file) => {`
			`if (err) {`
			`response.writeHead(404, { 'Content-Type': 'text/plain' })`
			`response.end()`
			`return`
			`}`

			const cspHeaders = { 'Content-Security-Policy': `script-src 'self' 'unsafe-inline'` }
			`response.writeHead(200, useCsp ? cspHeaders : undefined)`
			`response.write(file, 'binary')`
			`response.end()`
			`})`
			`})`
			`}).listen(8881)`
			`})`

			`after(() => {`
			`// Close server`
			`server.close()`
			`server = null`
			`})`

			`afterEach(() => {`
			`closeWindow(w).then(() => { w = null })`

			`useCsp = true`
			`})`

			`it('should warn about Node.js integration with remote content', (done) => {`
			`w = new BrowserWindow({ show: false })`
			`w.webContents.on('console-message', (e, level, message) => {`
			`assert(message.includes('Node.js Integration with Remote Content'))`
			`done()`
			`})`

			w.loadURL(`http://127.0.0.1:8881/base-page-security.html`)
			`})`

			`it('should warn about disabled webSecurity', (done) => {`
			`w = new BrowserWindow({`
			`show: false,`
			`webPreferences: {`
			`webSecurity: false,`
			`nodeIntegration: false`
			`}`
			`})`
			`w.webContents.on('console-message', (e, level, message) => {`
			`assert(message.includes('Disabled webSecurity'))`
			`done()`
			`})`

			w.loadURL(`http://127.0.0.1:8881/base-page-security.html`)
			`})`

			`it('should warn about insecure Content-Security-Policy', (done) => {`
			`w = new BrowserWindow({`
			`show: false,`
			`webPreferences: {`
			`nodeIntegration: false`
			`}`
			`})`

			`w.webContents.on('console-message', (e, level, message) => {`
			`assert(message.includes('Insecure Content-Security-Policy'))`
			`done()`
			`})`

			`useCsp = false`
			w.loadURL(`http://127.0.0.1:8881/base-page-security.html`)
			`})`

			`it('should warn about allowRunningInsecureContent', (done) => {`
			`w = new BrowserWindow({`
			`show: false,`
			`webPreferences: {`
			`allowRunningInsecureContent: true,`
			`nodeIntegration: false`
			`}`
			`})`
			`w.webContents.on('console-message', (e, level, message) => {`
			`assert(message.includes('allowRunningInsecureContent'))`
			`done()`
			`})`

			w.loadURL(`http://127.0.0.1:8881/base-page-security.html`)
			`})`

			`it('should warn about experimentalFeatures', (done) => {`
			`w = new BrowserWindow({`
			`show: false,`
			`webPreferences: {`
			`experimentalFeatures: true,`
			`nodeIntegration: false`
			`}`
			`})`
			`w.webContents.on('console-message', (e, level, message) => {`
			`assert(message.includes('experimentalFeatures'))`
			`done()`
			`})`

			w.loadURL(`http://127.0.0.1:8881/base-page-security.html`)
			`})`

			`it('should warn about blinkFeatures', (done) => {`
			`w = new BrowserWindow({`
			`show: false,`
			`webPreferences: {`
			`blinkFeatures: ['my-cool-feature'],`
			`nodeIntegration: false`
			`}`
			`})`
			`w.webContents.on('console-message', (e, level, message) => {`
			`assert(message.includes('blinkFeatures'))`
			`done()`
			`})`

			w.loadURL(`http://127.0.0.1:8881/base-page-security.html`)
			`})`

			`it('should warn about allowpopups', (done) => {`
			`w = new BrowserWindow({`
			`show: false,`
			`webPreferences: {`
			`nodeIntegration: false`
			`}`
			`})`
			`w.webContents.on('console-message', (e, level, message) => {`
			`console.log(message)`
			`assert(message.includes('allowpopups'))`
			`done()`
			`})`

			w.loadURL(`http://127.0.0.1:8881/webview-allowpopups.html`)
			`})`

			`it('should warn about insecure resources', (done) => {`
			`w = new BrowserWindow({`
			`show: true,`
			`webPreferences: {`
			`nodeIntegration: false`
			`}`
			`})`
			`w.webContents.on('console-message', (e, level, message) => {`
			`console.log(message)`
			`assert(message.includes('Insecure Resources'))`
			`done()`
			`})`

			w.loadURL(`http://127.0.0.1:8881/insecure-resources.html`)
			`w.webContents.openDevTools()`
			`})`
			`})`