electron/lib/browser/guest-window-manager.js

365 lines
12 KiB
JavaScript
Raw Normal View History

'use strict'
2016-03-18 18:51:02 +00:00
const electron = require('electron')
const { BrowserWindow } = electron
const { isSameOrigin } = process.electronBinding('v8_util')
const { ipcMainInternal } = require('@electron/internal/browser/ipc-main-internal')
const ipcMainUtils = require('@electron/internal/browser/ipc-main-internal-utils')
const parseFeaturesString = require('@electron/internal/common/parse-features-string')
2016-01-12 02:40:23 +00:00
const hasProp = {}.hasOwnProperty
2017-04-25 20:53:29 +00:00
const frameToGuest = new Map()
2016-01-12 02:40:23 +00:00
// Security options that child windows will always inherit from parent windows
const inheritedWebPreferences = new Map([
['contextIsolation', true],
['javascript', false],
['nativeWindowOpen', true],
['nodeIntegration', false],
['enableRemoteModule', false],
['sandbox', true],
['webviewTag', false],
['nodeIntegrationInSubFrames', false]
])
2016-01-14 18:35:29 +00:00
// Copy attribute of |parent| to |child| if it is not defined in |child|.
const mergeOptions = function (child, parent, visited) {
// Check for circular reference.
if (visited == null) visited = new Set()
if (visited.has(parent)) return
visited.add(parent)
for (const key in parent) {
if (key === 'type') continue
if (!hasProp.call(parent, key)) continue
if (key in child && key !== 'webPreferences') continue
const value = parent[key]
if (typeof value === 'object' && !Array.isArray(value)) {
child[key] = mergeOptions(child[key] || {}, value, visited)
} else {
child[key] = value
2016-01-12 02:40:23 +00:00
}
}
visited.delete(parent)
return child
}
2016-01-12 02:40:23 +00:00
2016-01-14 18:35:29 +00:00
// Merge |options| with the |embedder|'s window's options.
const mergeBrowserWindowOptions = function (embedder, options) {
if (options.webPreferences == null) {
options.webPreferences = {}
}
2016-01-12 02:40:23 +00:00
if (embedder.browserWindowOptions != null) {
let parentOptions = embedder.browserWindowOptions
// if parent's visibility is available, that overrides 'show' flag (#12125)
const win = BrowserWindow.fromWebContents(embedder.webContents)
if (win != null) {
2018-09-13 16:10:51 +00:00
parentOptions = { ...embedder.browserWindowOptions, show: win.isVisible() }
}
2016-01-14 18:35:29 +00:00
// Inherit the original options if it is a BrowserWindow.
mergeOptions(options, parentOptions)
2016-01-12 02:40:23 +00:00
} else {
2017-05-24 18:30:59 +00:00
// Or only inherit webPreferences if it is a webview.
mergeOptions(options.webPreferences, embedder.getLastWebPreferences())
2016-01-12 02:40:23 +00:00
}
// Inherit certain option values from parent window
const webPreferences = embedder.getLastWebPreferences()
for (const [name, value] of inheritedWebPreferences) {
if (webPreferences[name] === value) {
options.webPreferences[name] = value
}
}
// Sets correct openerId here to give correct options to 'new-window' event handler
options.webPreferences.openerId = embedder.id
return options
}
2016-01-12 02:40:23 +00:00
// Setup a new guest with |embedder|
2016-09-29 14:01:05 +00:00
const setupGuest = function (embedder, frameName, guest, options) {
2016-01-14 18:44:21 +00:00
// When |embedder| is destroyed we should also destroy attached guest, and if
// guest is closed by user then we should prevent |embedder| from double
// closing guest.
2016-10-05 09:46:55 +00:00
const guestId = guest.webContents.id
const closedByEmbedder = function () {
guest.removeListener('closed', closedByUser)
guest.destroy()
}
const closedByUser = function () {
embedder._sendInternal('ELECTRON_GUEST_WINDOW_MANAGER_WINDOW_CLOSED_' + guestId)
fix: use appropriate site instance for cross-site nav's (#15821) * fix: use Chromium's determined new site instance as candidate when navigating. When navigating to a new address, consider using Chromium's determined site instance for the new page as it should belong to an existing browsing instance when the navigation was triggered by window.open(). fixes 8100. * Revert "fix: use Chromium's determined new site instance as candidate when navigating." This reverts commit eb95f935654a2c4d4457821297670836c10fdfd5. * fix: delegate site instance creation back to content when sandboxed. * fix: ensure site isolation is on * test: adapt ut for cross-site navigation * fix: register pending processes during a navigation. * refactor: dont call loadURL for a window constructed from an existing webContents. * test: add sandboxed affinity UT's. * fix: check affinity before deciding if to force a new site instance. * chore: adapt subsequent patch. * refactor: constify logically const methods. * fix: do not reuse site instances when navigation redirects cross-site. * test: ensure localStorage accessible after x-site redirect. * test: adapt localStorage acess denied UT for site isolation. * fix: do not send render-view-deleted for speculative frames. * chore: amend tests after rebase. * test: add ut for webContents' render-view-deleted emission * fix: introduce current-render-view-deleted for current RVH's deletions. Revert render-view-deleted to being emitted with any RVH's deletion. current-render-view-deleted is emitted only when the RVH being deleted is the current one. * refactor: style and comments fixed.
2018-12-05 08:03:39 +00:00
embedder.removeListener('current-render-view-deleted', closedByEmbedder)
}
fix: use appropriate site instance for cross-site nav's (#15821) * fix: use Chromium's determined new site instance as candidate when navigating. When navigating to a new address, consider using Chromium's determined site instance for the new page as it should belong to an existing browsing instance when the navigation was triggered by window.open(). fixes 8100. * Revert "fix: use Chromium's determined new site instance as candidate when navigating." This reverts commit eb95f935654a2c4d4457821297670836c10fdfd5. * fix: delegate site instance creation back to content when sandboxed. * fix: ensure site isolation is on * test: adapt ut for cross-site navigation * fix: register pending processes during a navigation. * refactor: dont call loadURL for a window constructed from an existing webContents. * test: add sandboxed affinity UT's. * fix: check affinity before deciding if to force a new site instance. * chore: adapt subsequent patch. * refactor: constify logically const methods. * fix: do not reuse site instances when navigation redirects cross-site. * test: ensure localStorage accessible after x-site redirect. * test: adapt localStorage acess denied UT for site isolation. * fix: do not send render-view-deleted for speculative frames. * chore: amend tests after rebase. * test: add ut for webContents' render-view-deleted emission * fix: introduce current-render-view-deleted for current RVH's deletions. Revert render-view-deleted to being emitted with any RVH's deletion. current-render-view-deleted is emitted only when the RVH being deleted is the current one. * refactor: style and comments fixed.
2018-12-05 08:03:39 +00:00
embedder.once('current-render-view-deleted', closedByEmbedder)
2017-07-11 00:50:54 +00:00
guest.once('closed', closedByUser)
2016-01-12 02:40:23 +00:00
if (frameName) {
2017-04-25 20:53:29 +00:00
frameToGuest.set(frameName, guest)
guest.frameName = frameName
guest.once('closed', function () {
2017-04-25 20:53:29 +00:00
frameToGuest.delete(frameName)
})
2016-01-12 02:40:23 +00:00
}
2016-10-05 09:46:55 +00:00
return guestId
2016-09-29 14:01:05 +00:00
}
// Create a new guest created by |embedder| with |options|.
const createGuest = function (embedder, url, referrer, frameName, options, postData) {
2017-04-25 20:53:29 +00:00
let guest = frameToGuest.get(frameName)
if (frameName && (guest != null)) {
guest.loadURL(url)
2016-10-05 09:46:55 +00:00
return guest.webContents.id
}
// Remember the embedder window's id.
if (options.webPreferences == null) {
options.webPreferences = {}
}
guest = new BrowserWindow(options)
fix: use appropriate site instance for cross-site nav's (#15821) * fix: use Chromium's determined new site instance as candidate when navigating. When navigating to a new address, consider using Chromium's determined site instance for the new page as it should belong to an existing browsing instance when the navigation was triggered by window.open(). fixes 8100. * Revert "fix: use Chromium's determined new site instance as candidate when navigating." This reverts commit eb95f935654a2c4d4457821297670836c10fdfd5. * fix: delegate site instance creation back to content when sandboxed. * fix: ensure site isolation is on * test: adapt ut for cross-site navigation * fix: register pending processes during a navigation. * refactor: dont call loadURL for a window constructed from an existing webContents. * test: add sandboxed affinity UT's. * fix: check affinity before deciding if to force a new site instance. * chore: adapt subsequent patch. * refactor: constify logically const methods. * fix: do not reuse site instances when navigation redirects cross-site. * test: ensure localStorage accessible after x-site redirect. * test: adapt localStorage acess denied UT for site isolation. * fix: do not send render-view-deleted for speculative frames. * chore: amend tests after rebase. * test: add ut for webContents' render-view-deleted emission * fix: introduce current-render-view-deleted for current RVH's deletions. Revert render-view-deleted to being emitted with any RVH's deletion. current-render-view-deleted is emitted only when the RVH being deleted is the current one. * refactor: style and comments fixed.
2018-12-05 08:03:39 +00:00
if (!options.webContents) {
2016-09-29 13:37:28 +00:00
// We should not call `loadURL` if the window was constructed from an
fix: use appropriate site instance for cross-site nav's (#15821) * fix: use Chromium's determined new site instance as candidate when navigating. When navigating to a new address, consider using Chromium's determined site instance for the new page as it should belong to an existing browsing instance when the navigation was triggered by window.open(). fixes 8100. * Revert "fix: use Chromium's determined new site instance as candidate when navigating." This reverts commit eb95f935654a2c4d4457821297670836c10fdfd5. * fix: delegate site instance creation back to content when sandboxed. * fix: ensure site isolation is on * test: adapt ut for cross-site navigation * fix: register pending processes during a navigation. * refactor: dont call loadURL for a window constructed from an existing webContents. * test: add sandboxed affinity UT's. * fix: check affinity before deciding if to force a new site instance. * chore: adapt subsequent patch. * refactor: constify logically const methods. * fix: do not reuse site instances when navigation redirects cross-site. * test: ensure localStorage accessible after x-site redirect. * test: adapt localStorage acess denied UT for site isolation. * fix: do not send render-view-deleted for speculative frames. * chore: amend tests after rebase. * test: add ut for webContents' render-view-deleted emission * fix: introduce current-render-view-deleted for current RVH's deletions. Revert render-view-deleted to being emitted with any RVH's deletion. current-render-view-deleted is emitted only when the RVH being deleted is the current one. * refactor: style and comments fixed.
2018-12-05 08:03:39 +00:00
// existing webContents (window.open in a sandboxed renderer).
2016-09-29 13:37:28 +00:00
//
// Navigating to the url when creating the window from an existing
fix: use appropriate site instance for cross-site nav's (#15821) * fix: use Chromium's determined new site instance as candidate when navigating. When navigating to a new address, consider using Chromium's determined site instance for the new page as it should belong to an existing browsing instance when the navigation was triggered by window.open(). fixes 8100. * Revert "fix: use Chromium's determined new site instance as candidate when navigating." This reverts commit eb95f935654a2c4d4457821297670836c10fdfd5. * fix: delegate site instance creation back to content when sandboxed. * fix: ensure site isolation is on * test: adapt ut for cross-site navigation * fix: register pending processes during a navigation. * refactor: dont call loadURL for a window constructed from an existing webContents. * test: add sandboxed affinity UT's. * fix: check affinity before deciding if to force a new site instance. * chore: adapt subsequent patch. * refactor: constify logically const methods. * fix: do not reuse site instances when navigation redirects cross-site. * test: ensure localStorage accessible after x-site redirect. * test: adapt localStorage acess denied UT for site isolation. * fix: do not send render-view-deleted for speculative frames. * chore: amend tests after rebase. * test: add ut for webContents' render-view-deleted emission * fix: introduce current-render-view-deleted for current RVH's deletions. Revert render-view-deleted to being emitted with any RVH's deletion. current-render-view-deleted is emitted only when the RVH being deleted is the current one. * refactor: style and comments fixed.
2018-12-05 08:03:39 +00:00
// webContents is not necessary (it will navigate there anyway).
const loadOptions = {
httpReferrer: referrer
}
2016-11-11 17:22:45 +00:00
if (postData != null) {
loadOptions.postData = postData
loadOptions.extraHeaders = 'content-type: application/x-www-form-urlencoded'
2016-11-11 17:22:45 +00:00
if (postData.length > 0) {
const postDataFront = postData[0].bytes.toString()
2016-11-11 17:22:45 +00:00
const boundary = /^--.*[^-\r\n]/.exec(postDataFront)
if (boundary != null) {
loadOptions.extraHeaders = `content-type: multipart/form-data; boundary=${boundary[0].substr(2)}`
}
}
2016-10-10 12:58:56 +00:00
}
guest.loadURL(url, loadOptions)
2016-09-29 13:37:28 +00:00
}
2016-09-29 14:01:05 +00:00
return setupGuest(embedder, frameName, guest, options)
}
const getGuestWindow = function (guestContents) {
let guestWindow = BrowserWindow.fromWebContents(guestContents)
2016-06-09 20:53:36 +00:00
if (guestWindow == null) {
const hostContents = guestContents.hostWebContents
if (hostContents != null) {
guestWindow = BrowserWindow.fromWebContents(hostContents)
}
}
if (!guestWindow) {
throw new Error('getGuestWindow failed')
}
return guestWindow
}
2016-01-12 02:40:23 +00:00
const isChildWindow = function (sender, target) {
return target.getLastWebPreferences().openerId === sender.id
}
const isRelatedWindow = function (sender, target) {
return isChildWindow(sender, target) || isChildWindow(target, sender)
}
const isScriptableWindow = function (sender, target) {
return isRelatedWindow(sender, target) && isSameOrigin(sender.getURL(), target.getURL())
}
const isNodeIntegrationEnabled = function (sender) {
return sender.getLastWebPreferences().nodeIntegration === true
}
// Checks whether |sender| can access the |target|:
const canAccessWindow = function (sender, target) {
return isChildWindow(sender, target) ||
isScriptableWindow(sender, target) ||
isNodeIntegrationEnabled(sender)
}
// Routed window.open messages with raw options
ipcMainInternal.on('ELECTRON_GUEST_WINDOW_MANAGER_WINDOW_OPEN', (event, url, frameName, features) => {
if (url == null || url === '') url = 'about:blank'
if (frameName == null) frameName = ''
if (features == null) features = ''
const options = {}
const ints = ['x', 'y', 'width', 'height', 'minWidth', 'maxWidth', 'minHeight', 'maxHeight', 'zoomFactor']
const webPreferences = ['zoomFactor', 'nodeIntegration', 'enableRemoteModule', 'preload', 'javascript', 'contextIsolation', 'webviewTag']
const disposition = 'new-window'
// Used to store additional features
const additionalFeatures = []
// Parse the features
parseFeaturesString(features, function (key, value) {
if (value === undefined) {
additionalFeatures.push(key)
} else {
// Don't allow webPreferences to be set since it must be an object
// that cannot be directly overridden
if (key === 'webPreferences') return
if (webPreferences.includes(key)) {
if (options.webPreferences == null) {
options.webPreferences = {}
}
options.webPreferences[key] = value
} else {
options[key] = value
}
}
})
if (options.left) {
if (options.x == null) {
options.x = options.left
}
}
if (options.top) {
if (options.y == null) {
options.y = options.top
}
}
if (options.title == null) {
options.title = frameName
}
if (options.width == null) {
options.width = 800
}
if (options.height == null) {
options.height = 600
}
for (const name of ints) {
if (options[name] != null) {
options[name] = parseInt(options[name], 10)
}
}
const referrer = { url: '', policy: 'default' }
internalWindowOpen(event, url, referrer, frameName, disposition, options, additionalFeatures)
})
// Routed window.open messages with fully parsed options
function internalWindowOpen (event, url, referrer, frameName, disposition, options, additionalFeatures, postData) {
options = mergeBrowserWindowOptions(event.sender, options)
event.sender.emit('new-window', event, url, frameName, disposition, options, additionalFeatures, referrer)
2018-09-13 16:10:51 +00:00
const { newGuest } = event
if ((event.sender.getType() === 'webview' && event.sender.getLastWebPreferences().disablePopups) || event.defaultPrevented) {
2017-05-23 21:49:00 +00:00
if (newGuest != null) {
if (options.webContents === newGuest.webContents) {
// the webContents is not changed, so set defaultPrevented to false to
// stop the callers of this event from destroying the webContents.
event.defaultPrevented = false
}
2016-09-29 14:01:05 +00:00
event.returnValue = setupGuest(event.sender, frameName, newGuest, options)
2016-09-29 12:41:35 +00:00
} else {
event.returnValue = null
2016-09-29 12:41:35 +00:00
}
2016-01-12 02:40:23 +00:00
} else {
event.returnValue = createGuest(event.sender, url, referrer, frameName, options, postData)
2016-01-12 02:40:23 +00:00
}
}
2016-01-12 02:40:23 +00:00
const makeSafeHandler = function (handler) {
return (event, guestId, ...args) => {
// Access webContents via electron to prevent circular require.
const guestContents = electron.webContents.fromId(guestId)
if (!guestContents) {
throw new Error(`Invalid guestId: ${guestId}`)
}
return handler(event, guestContents, ...args)
}
}
const handleMessage = function (channel, handler) {
ipcMainInternal.handle(channel, makeSafeHandler(handler))
}
const handleMessageSync = function (channel, handler) {
ipcMainUtils.handleSync(channel, makeSafeHandler(handler))
}
const securityCheck = function (contents, guestContents, check) {
if (!check(contents, guestContents)) {
console.error(`Blocked ${contents.getURL()} from accessing guestId: ${guestContents.id}`)
throw new Error(`Access denied to guestId: ${guestContents.id}`)
}
}
2016-01-12 02:40:23 +00:00
const windowMethods = new Set([
'destroy',
'focus',
'blur'
])
handleMessage('ELECTRON_GUEST_WINDOW_MANAGER_WINDOW_METHOD', (event, guestContents, method, ...args) => {
securityCheck(event.sender, guestContents, canAccessWindow)
if (!windowMethods.has(method)) {
console.error(`Blocked ${event.sender.getURL()} from calling method: ${method}`)
throw new Error(`Invalid method: ${method}`)
}
return getGuestWindow(guestContents)[method](...args)
})
2016-01-12 02:40:23 +00:00
handleMessage('ELECTRON_GUEST_WINDOW_MANAGER_WINDOW_POSTMESSAGE', (event, guestContents, message, targetOrigin, sourceOrigin) => {
if (targetOrigin == null) {
targetOrigin = '*'
}
// The W3C does not seem to have word on how postMessage should work when the
// origins do not match, so we do not do |canAccessWindow| check here since
// postMessage across origins is useful and not harmful.
securityCheck(event.sender, guestContents, isRelatedWindow)
if (targetOrigin === '*' || isSameOrigin(guestContents.getURL(), targetOrigin)) {
const sourceId = event.sender.id
guestContents._sendInternal('ELECTRON_GUEST_WINDOW_POSTMESSAGE', sourceId, message, sourceOrigin)
2016-01-12 02:40:23 +00:00
}
})
2016-01-12 02:40:23 +00:00
const webContentsMethodsAsync = new Set([
'loadURL',
'executeJavaScript',
'print'
])
handleMessage('ELECTRON_GUEST_WINDOW_MANAGER_WEB_CONTENTS_METHOD', (event, guestContents, method, ...args) => {
securityCheck(event.sender, guestContents, canAccessWindow)
if (!webContentsMethodsAsync.has(method)) {
console.error(`Blocked ${event.sender.getURL()} from calling method: ${method}`)
throw new Error(`Invalid method: ${method}`)
}
return guestContents[method](...args)
})
const webContentsMethodsSync = new Set([
'getURL'
])
handleMessageSync('ELECTRON_GUEST_WINDOW_MANAGER_WEB_CONTENTS_METHOD', (event, guestContents, method, ...args) => {
securityCheck(event.sender, guestContents, canAccessWindow)
if (!webContentsMethodsSync.has(method)) {
console.error(`Blocked ${event.sender.getURL()} from calling method: ${method}`)
throw new Error(`Invalid method: ${method}`)
}
return guestContents[method](...args)
})
exports.internalWindowOpen = internalWindowOpen