refactor: clean up the default app implementation (#14719)

* Disable nodeIntegration * Enable contextIsolation * Re-implement the CSP security check to handle running in contextIsolation * Disable bad DCHECKS for the promise helper * Remove the unused "-d" flag for the electron binary * Added a way to hide the default help output for electron devs who don't want to see it every time
2018-09-21 15:24:42 +10:00 · 2018-09-21 15:24:42 +10:00 · 32a9df2940
commit 32a9df2940
parent a24307b8e8
10 changed files with 346 additions and 296 deletions
--- a/lib/renderer/security-warnings.js
+++ b/lib/renderer/security-warnings.js
@ -61,13 +61,18 @@ const getIsRemoteProtocol = function () {
 * @returns {boolean} Is a CSP with `unsafe-eval` set?
 */
 const isUnsafeEvalEnabled = function () {
-  try {
-    // eslint-disable-next-line
-    new Function('');
-    return true
-  } catch (error) {
-    return false
-  }
+  const { webFrame } = require('electron')
+
+  return new Promise((resolve) => {
+    webFrame.executeJavaScript(`(${(() => {
+      try {
+        new Function('') // eslint-disable-line no-new,no-new-func
+      } catch (err) {
+        return false
+      }
+      return true
+    }).toString()})()`, resolve)
+  })
 }

 /**
@ -176,14 +181,16 @@ module.exports = {
   * Logs a warning message about unset or insecure CSP
   */
  warnAboutInsecureCSP: () => {
-    if (isUnsafeEvalEnabled()) {
+    isUnsafeEvalEnabled().then((enabled) => {
+      if (!enabled) return
+
      const warning = `This renderer process has either no Content Security
      Policy set or a policy with "unsafe-eval" enabled. This exposes users of
      this app to unnecessary security risks.\n ${moreInformation}`

      console.warn('%cElectron Security Warning (Insecure Content-Security-Policy)',
        'font-weight: bold;', warning)
-    }
+    })
  },

  /**