mirrors/electron
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages 1 Wiki Activity Actions 1

Revert "sec: deprecate some webPreference defaults to be secure-by-default (#14284)" (#14380)

Browse source 
This reverts commit 66d6ba8689.
This commit is contained in:
Samuel Attard 2018-08-30 09:57:49 +12:00 committed by GitHub
parent 66d6ba8689
commit 1b7418fb7b
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
9 changed files with 43 additions and 100 deletions
Download patch file Download diff file Expand all files Collapse all files

22
atom/browser/web_contents_preferences.cc
View file

@ -8,7 +8,6 @@
#include <string> #include <string>
#include <vector> #include <vector>
#include "atom/browser/api/atom_api_web_contents.h"
#include "atom/browser/native_window.h" #include "atom/browser/native_window.h"
#include "atom/browser/web_view_manager.h" #include "atom/browser/web_view_manager.h"
#include "atom/common/native_mate_converters/value_converter.h" #include "atom/common/native_mate_converters/value_converter.h"
@ -100,14 +99,12 @@ WebContentsPreferences::WebContentsPreferences(
// Set WebPreferences defaults onto the JS object // Set WebPreferences defaults onto the JS object
SetDefaultBoolIfUndefined(options::kPlugins, false); SetDefaultBoolIfUndefined(options::kPlugins, false);
SetDefaultBoolIfUndefined(options::kExperimentalFeatures, false); SetDefaultBoolIfUndefined(options::kExperimentalFeatures, false);
bool node = SetDefaultBoolIfUndefined(options::kNodeIntegration, true, bool node = SetDefaultBoolIfUndefined(options::kNodeIntegration, true);
Status::Deprecated);
SetDefaultBoolIfUndefined(options::kNodeIntegrationInWorker, false); SetDefaultBoolIfUndefined(options::kNodeIntegrationInWorker, false);
SetDefaultBoolIfUndefined(options::kWebviewTag, node, Status::Deprecated); SetDefaultBoolIfUndefined(options::kWebviewTag, node);
SetDefaultBoolIfUndefined(options::kSandbox, false); SetDefaultBoolIfUndefined(options::kSandbox, false);
SetDefaultBoolIfUndefined(options::kNativeWindowOpen, false); SetDefaultBoolIfUndefined(options::kNativeWindowOpen, false);
SetDefaultBoolIfUndefined(options::kContextIsolation, false, SetDefaultBoolIfUndefined(options::kContextIsolation, false);
Status::Deprecated);
SetDefaultBoolIfUndefined("javascript", true); SetDefaultBoolIfUndefined("javascript", true);
SetDefaultBoolIfUndefined("images", true); SetDefaultBoolIfUndefined("images", true);
SetDefaultBoolIfUndefined("textAreasAreResizable", true); SetDefaultBoolIfUndefined("textAreasAreResizable", true);
@ -137,25 +134,16 @@ WebContentsPreferences::~WebContentsPreferences() {
bool WebContentsPreferences::SetDefaultBoolIfUndefined( bool WebContentsPreferences::SetDefaultBoolIfUndefined(
const base::StringPiece& key, const base::StringPiece& key,
bool val, bool val) {
Status status) {
auto* current_value = auto* current_value =
preference_.FindKeyOfType(key, base::Value::Type::BOOLEAN); preference_.FindKeyOfType(key, base::Value::Type::BOOLEAN);
if (current_value) { if (current_value) {
return current_value->GetBool(); return current_value->GetBool();
} else { } else {
preference_.SetKey(key, base::Value(val)); preference_.SetKey(key, base::Value(val));
if (status == Status::Deprecated && web_contents_) {
auto internal_contents = atom::api::WebContents::CreateFrom(
v8::Isolate::GetCurrent(), web_contents_);
internal_contents->Emit("-deprecated-default",
std::string("webPreferences.") + key.data(),
/* oldDefault */ val, /* newDefault */ !val);
}
}
return val; return val;
} }
}
bool WebContentsPreferences::IsEnabled(const base::StringPiece& name, bool WebContentsPreferences::IsEnabled(const base::StringPiece& name,
bool default_value) const { bool default_value) const {

6
atom/browser/web_contents_preferences.h
View file

@ -66,15 +66,11 @@ class WebContentsPreferences
friend class content::WebContentsUserData<WebContentsPreferences>; friend class content::WebContentsUserData<WebContentsPreferences>;
friend class AtomBrowserClient; friend class AtomBrowserClient;
enum class Status { Deprecated, Stable };
// Get WebContents according to process ID. // Get WebContents according to process ID.
static content::WebContents* GetWebContentsFromProcessID(int process_id); static content::WebContents* GetWebContentsFromProcessID(int process_id);
// Set preference value to given bool if user did not provide value // Set preference value to given bool if user did not provide value
bool SetDefaultBoolIfUndefined(const base::StringPiece& key, bool SetDefaultBoolIfUndefined(const base::StringPiece& key, bool val);
bool val,
Status status = Status::Stable);
static std::vector<WebContentsPreferences*> instances_; static std::vector<WebContentsPreferences*> instances_;

5
default_app/default_app.js
View file

@ -16,10 +16,7 @@ exports.load = (appUrl) => {
autoHideMenuBar: true, autoHideMenuBar: true,
backgroundColor: '#FFFFFF', backgroundColor: '#FFFFFF',
webPreferences: { webPreferences: {
nodeIntegration: false, nodeIntegrationInWorker: true
webviewTag: false,
contextIsolation: true,
preload: path.resolve(__dirname, 'renderer.js')
}, },
useContentSize: true, useContentSize: true,
show: false show: false

2
default_app/index.html
View file

@ -83,6 +83,8 @@
</div> </div>
</div> </div>
</nav> </nav>
<script src="./renderer.js"></script>
</body> </body>
</html> </html>

11
default_app/renderer.js
View file

@ -4,7 +4,6 @@ const path = require('path')
const URL = require('url') const URL = require('url')
const electronPath = path.relative(process.cwd(), remote.process.execPath) const electronPath = path.relative(process.cwd(), remote.process.execPath)
function initialize () {
Array.from(document.querySelectorAll('a[href]')).forEach(link => { Array.from(document.querySelectorAll('a[href]')).forEach(link => {
// safely add `?utm_source=default_app // safely add `?utm_source=default_app
let url = URL.parse(link.getAttribute('href'), true) let url = URL.parse(link.getAttribute('href'), true)
@ -51,13 +50,3 @@ function initialize () {
for (const element of document.querySelectorAll('.octicon')) { for (const element of document.querySelectorAll('.octicon')) {
loadSVG(element) loadSVG(element)
} }
}
function onReadyStateChange () {
if (document.readyState === 'complete') {
document.removeEventListener('readystatechange', onReadyStateChange)
initialize()
}
}
document.addEventListener('readystatechange', onReadyStateChange)

12
docs/api/breaking-changes.md
View file

@ -34,18 +34,6 @@ app.releaseSingleInstance()
app.releaseSingleInstanceLock() app.releaseSingleInstanceLock()
``` ```
## `new BrowserWindow({ webPreferences: { ... }})`
```js
// Deprecated defaults
const webPreferences = {}
new BrowserWindow({ webPreferences })
// webPreferences.contextIsolation - Default was false, will be true
// webPreferences.nodeIntegration - Default was true, will be false
// webPreferences.webviewTag - Default was true, will be false
```
# Breaking API Changes (3.0) # Breaking API Changes (3.0)

4
lib/browser/api/web-contents.js
View file

@ -293,10 +293,6 @@ WebContents.prototype._init = function () {
ipcMain.emit(channel, event, ...args) ipcMain.emit(channel, event, ...args)
}) })
this.on('-deprecated-default', function (event, key, oldDefault, newDefault) {
deprecate.warnDefault(key, oldDefault, newDefault)
})
// Handle context menu action request from pepper plugin. // Handle context menu action request from pepper plugin.
this.on('pepper-context-menu', function (event, params, callback) { this.on('pepper-context-menu', function (event, params, callback) {
// Access Menu via electron.Menu to prevent circular require. // Access Menu via electron.Menu to prevent circular require.

6
lib/common/api/deprecate.js
View file

@ -31,12 +31,6 @@ deprecate.warn = (oldName, newName) => {
return deprecate.log(`'${oldName}' is deprecated. Use '${newName}' instead.`) return deprecate.log(`'${oldName}' is deprecated. Use '${newName}' instead.`)
} }
deprecate.warnDefault = (propName, oldDefault, newDefault) => {
return deprecate.log(`The default value of '${propName}' is changing from \
'${oldDefault}' to '${newDefault}' in a future release. If you want to keep \
the current value, please explicitly declare the property.`)
}
let deprecationHandler = null let deprecationHandler = null
// Print deprecation message. // Print deprecation message.

7
lib/renderer/security-warnings.js
View file

@ -61,13 +61,6 @@ const getIsRemoteProtocol = function () {
* @returns {boolean} Is a CSP with `unsafe-eval` set? * @returns {boolean} Is a CSP with `unsafe-eval` set?
*/ */
const isUnsafeEvalEnabled = function () { const isUnsafeEvalEnabled = function () {
// FIXME(MarshallOfSound): Although not exactly true, this warning is incorrect
// when contextIsolation is enabled
// FIXME(MarshallOfSound): Once remote issues have gone away we can remove
// the falsey check
const prefs = getWebPreferences()
if (prefs && prefs.contextIsolation) return false
try { try {
//eslint-disable-next-line //eslint-disable-next-line
new Function(''); new Function('');