From 16a3f41fd39cee412fee8f4375ddc834351cf152 Mon Sep 17 00:00:00 2001 From: Samuel Attard Date: Thu, 25 Jun 2020 10:55:17 -0700 Subject: [PATCH] chore: add deprecation warning for the default of contextIsolation (#23507) * chore: add deprecation warning for the default of contextIsolation * chore: add to breaking changes * Update docs/breaking-changes.md Co-authored-by: Jeremy Apthorp * chore: fix specs on windows Co-authored-by: Jeremy Apthorp --- docs/breaking-changes.md | 9 +++++++++ shell/browser/web_contents_preferences.cc | 14 ++++++++++++++ shell/browser/web_contents_preferences.h | 3 +++ spec/fixtures/api/gpu-info.js | 2 +- spec/fixtures/api/site-instance-overrides/main.js | 3 ++- spec/fixtures/api/window-all-closed/main.js | 6 +++++- 6 files changed, 34 insertions(+), 3 deletions(-) diff --git a/docs/breaking-changes.md b/docs/breaking-changes.md index d5bb629de067..60cf96ea404b 100644 --- a/docs/breaking-changes.md +++ b/docs/breaking-changes.md @@ -14,6 +14,15 @@ This document uses the following convention to categorize breaking changes: ## Planned Breaking API Changes (12.0) +### Default Changed: `contextIsolation` defaults to `true` + +In Electron 12, `contextIsolation` will be enabled by default. To restore +the previous behavior, `contextIsolation: false` must be specified in WebPreferences. + +We [recommend having contextIsolation enabled](https://github.com/electron/electron/blob/master/docs/tutorial/security.md#3-enable-context-isolation-for-remote-content) for the security of your application. + +For more details see: https://github.com/electron/electron/issues/23506 + ### Removed: `crashReporter` methods in the renderer process The following `crashReporter` methods are no longer available in the renderer diff --git a/shell/browser/web_contents_preferences.cc b/shell/browser/web_contents_preferences.cc index 891e42ce6880..464181c9051e 100644 --- a/shell/browser/web_contents_preferences.cc +++ b/shell/browser/web_contents_preferences.cc @@ -26,6 +26,7 @@ #include "shell/common/gin_converters/value_converter.h" #include "shell/common/gin_helper/dictionary.h" #include "shell/common/options_switches.h" +#include "shell/common/process_util.h" #include "third_party/blink/public/mojom/v8_cache_options.mojom.h" #if defined(OS_WIN) @@ -126,6 +127,15 @@ WebContentsPreferences::WebContentsPreferences( SetDefaultBoolIfUndefined(options::kWebviewTag, false); SetDefaultBoolIfUndefined(options::kSandbox, false); SetDefaultBoolIfUndefined(options::kNativeWindowOpen, false); + if (IsUndefined(options::kContextIsolation)) { + node::Environment* env = node::Environment::GetCurrent(isolate); + EmitWarning(env, + "The default of contextIsolation is deprecated and will be " + "changing from false to true in a future release of Electron. " + "See https://github.com/electron/electron/issues/23506 for " + "more information", + "electron"); + } SetDefaultBoolIfUndefined(options::kContextIsolation, false); SetDefaultBoolIfUndefined(options::kJavaScript, true); SetDefaultBoolIfUndefined(options::kImages, true); @@ -183,6 +193,10 @@ void WebContentsPreferences::SetDefaults() { last_preference_ = preference_.Clone(); } +bool WebContentsPreferences::IsUndefined(base::StringPiece key) { + return !preference_.FindKeyOfType(key, base::Value::Type::BOOLEAN); +} + bool WebContentsPreferences::SetDefaultBoolIfUndefined(base::StringPiece key, bool val) { auto* current_value = diff --git a/shell/browser/web_contents_preferences.h b/shell/browser/web_contents_preferences.h index a8e434a39323..ac9166a96795 100644 --- a/shell/browser/web_contents_preferences.h +++ b/shell/browser/web_contents_preferences.h @@ -72,6 +72,9 @@ class WebContentsPreferences // Get WebContents according to process ID. static content::WebContents* GetWebContentsFromProcessID(int process_id); + // Checks if the key is not defined + bool IsUndefined(base::StringPiece key); + // Set preference value to given bool if user did not provide value bool SetDefaultBoolIfUndefined(base::StringPiece key, bool val); diff --git a/spec/fixtures/api/gpu-info.js b/spec/fixtures/api/gpu-info.js index dc75c64cac2a..7dbcfd8ea413 100644 --- a/spec/fixtures/api/gpu-info.js +++ b/spec/fixtures/api/gpu-info.js @@ -4,7 +4,7 @@ app.commandLine.appendSwitch('--disable-software-rasterizer'); app.whenReady().then(() => { const infoType = process.argv.pop(); - const w = new BrowserWindow({ show: false }); + const w = new BrowserWindow({ show: false, webPreferences: { contextIsolation: true } }); w.webContents.once('did-finish-load', () => { app.getGPUInfo(infoType).then( (gpuInfo) => { diff --git a/spec/fixtures/api/site-instance-overrides/main.js b/spec/fixtures/api/site-instance-overrides/main.js index 76fe316b8a6e..8bd019f7cc0d 100644 --- a/spec/fixtures/api/site-instance-overrides/main.js +++ b/spec/fixtures/api/site-instance-overrides/main.js @@ -28,7 +28,8 @@ app.whenReady().then(() => { win = new BrowserWindow({ show: false, webPreferences: { - preload: path.resolve(__dirname, 'preload.js') + preload: path.resolve(__dirname, 'preload.js'), + contextIsolation: true } }); win.loadFile('index.html'); diff --git a/spec/fixtures/api/window-all-closed/main.js b/spec/fixtures/api/window-all-closed/main.js index c19dc483b54c..12f3133d26f0 100644 --- a/spec/fixtures/api/window-all-closed/main.js +++ b/spec/fixtures/api/window-all-closed/main.js @@ -15,6 +15,10 @@ app.on('quit', () => { }); app.whenReady().then(() => { - const win = new BrowserWindow(); + const win = new BrowserWindow({ + webPreferences: { + contextIsolation: true + } + }); win.close(); });