mirrors/electron
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages 1 Wiki Activity Actions 1

fix: child window with nativeWindowOpen should disable node integration (#15213)

Browse source 
* fix: child window with nativeWindowOpen should disable node integration

* Revert "fix: do not enable node integration in child window if not enabled (#15076)"

This reverts commit 0252d7686c.

This patch is not needed anymore since we are force disabling node integration
for child windows.
This commit is contained in:
Cheng Zhao 2018-10-25 15:31:07 +09:00 committed by GitHub
parent 7a23980f4b
commit 2f3a8ecd42
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
8 changed files with 36 additions and 55 deletions
Download patch file Download diff file Expand all files Collapse all files

25
atom/renderer/atom_renderer_client.cc
View file

@ -16,7 +16,6 @@
#include "atom/renderer/atom_render_frame_observer.h"
#include "atom/renderer/web_worker_observer.h"
#include "base/command_line.h"
#include "content/public/common/web_preferences.h"
#include "content/public/renderer/render_frame.h"
#include "native_mate/dictionary.h"
#include "third_party/blink/public/web/web_document.h"
@ -82,18 +81,20 @@ void AtomRendererClient::DidCreateScriptContext(
content::RenderFrame* render_frame) {
RendererClientBase::DidCreateScriptContext(context, render_frame);
// Only allow node integration for the main frame, unless it is a devtools
// extension page.
if (!render_frame->IsMainFrame() && !IsDevToolsExtension(render_frame))
return;
// Don't allow node integration if this is a child window and it does not have
// node integration enabled. Otherwise we would have memory leak in the child
// window since we don't clean up node environments.
// Only allow node integration for the main frame of the top window, unless it
// is a devtools extension page. Allowing child frames or child windows to
// have node integration would result in memory leak, since we don't destroy
// node environment when script context is destroyed.
//
// TODO(zcbenz): We shouldn't allow node integration even for the top frame.
if (!render_frame->GetWebkitPreferences().node_integration &&
render_frame->GetWebFrame()->Opener())
// DevTools extensions do not follow this rule because our implementation
// requires node integration in iframes to work. And usually DevTools
// extensions do not dynamically add/remove iframes.
//
// TODO(zcbenz): Do not create Node environment if node integration is not
// enabled.
if (!(render_frame->IsMainFrame() &&
!render_frame->GetWebFrame()->Opener()) &&
!IsDevToolsExtension(render_frame))
return;
injected_frames_.insert(render_frame);