From e4bd592e0e712a4ba0f3da28eb61e7fb3cd5695a Mon Sep 17 00:00:00 2001 From: Kevin Sawicki Date: Thu, 21 Apr 2016 11:49:42 -0700 Subject: [PATCH 1/2] Add failing spec --- spec/fixtures/module/answer.js | 4 +++ spec/fixtures/pages/web-view-log-process.html | 13 ++++++++ ...webview-no-node-integration-on-window.html | 23 +++++++++++++ spec/webview-spec.js | 33 +++++++++++++++++++ 4 files changed, 73 insertions(+) create mode 100644 spec/fixtures/module/answer.js create mode 100644 spec/fixtures/pages/web-view-log-process.html create mode 100644 spec/fixtures/pages/webview-no-node-integration-on-window.html diff --git a/spec/fixtures/module/answer.js b/spec/fixtures/module/answer.js new file mode 100644 index 000000000000..d592d6cda214 --- /dev/null +++ b/spec/fixtures/module/answer.js @@ -0,0 +1,4 @@ +var ipcRenderer = require('electron').ipcRenderer +window.answer = function (answer) { + ipcRenderer.send('answer', answer) +} diff --git a/spec/fixtures/pages/web-view-log-process.html b/spec/fixtures/pages/web-view-log-process.html new file mode 100644 index 000000000000..9e75edb393e2 --- /dev/null +++ b/spec/fixtures/pages/web-view-log-process.html @@ -0,0 +1,13 @@ + + + + + test + + + + test? + + diff --git a/spec/fixtures/pages/webview-no-node-integration-on-window.html b/spec/fixtures/pages/webview-no-node-integration-on-window.html new file mode 100644 index 000000000000..0af03cf1c497 --- /dev/null +++ b/spec/fixtures/pages/webview-no-node-integration-on-window.html @@ -0,0 +1,23 @@ + + + + + + + + diff --git a/spec/webview-spec.js b/spec/webview-spec.js index 88afbe2f131c..d2c37c857df1 100644 --- a/spec/webview-spec.js +++ b/spec/webview-spec.js @@ -84,6 +84,39 @@ describe(' tag', function () { document.body.appendChild(webview) }) + it('disables node integration when disabled on the parent BrowserWindow', function (done) { + var b = undefined + + ipcMain.once('answer', function (event, typeofProcess) { + try { + assert.equal(typeofProcess, 'undefined') + done() + } finally { + b.close() + } + }) + + var windowUrl = require('url').format({ + pathname: `${fixtures}/pages/webview-no-node-integration-on-window.html`, + protocol: 'file', + query: { + p: `${fixtures}/pages/web-view-log-process.html` + }, + slashes: true + }) + var preload = path.join(fixtures, 'module', 'answer.js') + + b = new BrowserWindow({ + height: 400, + width: 400, + show: false, + webPreferences: { + preload: preload, + nodeIntegration: false, + } + }) + b.loadURL(windowUrl) + }) it('disables node integration on child windows when it is disabled on the webview', function (done) { app.once('browser-window-created', function (event, window) { From 8e7bf1051d9f35837ce7a0a6009a61b5642b8ca1 Mon Sep 17 00:00:00 2001 From: Kevin Sawicki Date: Thu, 21 Apr 2016 11:52:10 -0700 Subject: [PATCH 2/2] Disable node integration on webview when disabled on window --- lib/browser/guest-view-manager.js | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/lib/browser/guest-view-manager.js b/lib/browser/guest-view-manager.js index ad79fe699a40..58775669c2f4 100644 --- a/lib/browser/guest-view-manager.js +++ b/lib/browser/guest-view-manager.js @@ -182,6 +182,11 @@ var attachGuest = function (embedder, elementInstanceId, guestInstanceId, params webSecurity: !params.disablewebsecurity, blinkFeatures: params.blinkfeatures } + + if (embedder.getWebPreferences().nodeIntegration === false) { + webPreferences.nodeIntegration = false + } + if (params.preload) { webPreferences.preloadURL = params.preload }