mirrors/electron
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages 1 Wiki Activity Actions

Merge pull request #208 from atom/default-sandboxed-iframe

Browse source 
Make iframe sandboxed by default
This commit is contained in:
Cheng Zhao 2014-03-10 15:47:39 +00:00
commit 1019952989
4 changed files with 25 additions and 10 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

11
docs/api/browser/browser-window.md
View file

@ -66,12 +66,15 @@ An example of enable node integration in iframe with `node-integration` set to
<iframe src="http://jandan.net"></iframe> <iframe src="http://jandan.net"></iframe>
``` ```
And you should also notice that the iframes can have access to parent window's And in atom-shell, the security limitaion of iframe is stricter than normal
javascript objects via `window.parent`, so in order to grant complete security browser, by default iframe is sandboxed with all permissions except the
from iframes, you should add `sandbox` attribute to the iframes: `allow-same-origin`, which means iframe could not access parent's js context.
If you want to enable things like `parent.window.process.exit()` in iframe,
you should explictly set `sandbox` to `none`:
```html ```html
<iframe sandbox="allow-scripts" src="http://bbs.seu.edu.cn"></iframe> <iframe sandbox="none" src="https://github.com"></iframe>
``` ```
### Event: 'page-title-updated' ### Event: 'page-title-updated'

2
script/lib/config.py
View file

@ -2,4 +2,4 @@
NODE_VERSION = 'v0.11.10' NODE_VERSION = 'v0.11.10'
BASE_URL = 'https://gh-contractor-zcbenz.s3.amazonaws.com/libchromiumcontent' BASE_URL = 'https://gh-contractor-zcbenz.s3.amazonaws.com/libchromiumcontent'
LIBCHROMIUMCONTENT_COMMIT = '9c654df782c77449e7d8fa741843143145260aeb' LIBCHROMIUMCONTENT_COMMIT = '607907aed2c1dcdd3b5968a756a990ba3f47bca7'

21
spec/chromium-spec.coffee
View file

@ -25,12 +25,14 @@ describe 'chromium feature', ->
assert.equal b.constructor.name, 'BrowserWindow' assert.equal b.constructor.name, 'BrowserWindow'
b.destroy() b.destroy()
describe 'iframe with sandbox attribute', -> describe 'iframe', ->
it 'can not modify parent', (done) -> page = path.join fixtures, 'pages', 'change-parent.html'
page = path.join fixtures, 'pages', 'change-parent.html'
beforeEach ->
global.changedByIframe = false global.changedByIframe = false
iframe = $('<iframe sandbox="allow-scripts">') it 'can not modify parent by default', (done) ->
iframe = $('<iframe>')
iframe.hide() iframe.hide()
iframe.attr 'src', "file://#{page}" iframe.attr 'src', "file://#{page}"
iframe.appendTo 'body' iframe.appendTo 'body'
@ -39,3 +41,14 @@ describe 'chromium feature', ->
assert.equal global.changedByIframe, false assert.equal global.changedByIframe, false
done() done()
setTimeout isChanged, 30 setTimeout isChanged, 30
it 'can modify parent when sanbox is set to none', (done) ->
iframe = $('<iframe sandbox="none">')
iframe.hide()
iframe.attr 'src', "file://#{page}"
iframe.appendTo 'body'
isChanged = ->
iframe.remove()
assert.equal global.changedByIframe, true
done()
setTimeout isChanged, 30

1
spec/fixtures/pages/change-parent.html vendored
View file

@ -1,7 +1,6 @@
<html> <html>
<body> <body>
<script type="text/javascript" charset="utf-8"> <script type="text/javascript" charset="utf-8">
console.log('ready2')
window.parent.changedByIframe = true; window.parent.changedByIframe = true;
</script> </script>
</body> </body>