Merge pull request #5559 from electron/disable-webview

Disable webview when nodeIntegration is off
This commit is contained in:
Cheng Zhao 2016-05-18 01:26:58 +00:00
commit 397d0e34ee
5 changed files with 34 additions and 41 deletions

View file

@ -12,6 +12,9 @@ app. It doesn't have the same permissions as your web page and all interactions
between your app and embedded content will be asynchronous. This keeps your app
safe from the embedded content.
For security purpose, `webview` can only be used in `BrowserWindow`s that have
`nodeIntegration` enabled.
## Example
To embed a web page in your app, add the `webview` tag to your app's embedder

View file

@ -183,10 +183,6 @@ var attachGuest = function (embedder, elementInstanceId, guestInstanceId, params
blinkFeatures: params.blinkfeatures
}
if (embedder.getWebPreferences().nodeIntegration === false) {
webPreferences.nodeIntegration = false
}
if (params.preload) {
webPreferences.preloadURL = params.preload
}

View file

@ -70,7 +70,7 @@ if (window.location.protocol === 'chrome-devtools:') {
require('./override')
// Load webview tag implementation.
if (process.guestInstanceId == null) {
if (nodeIntegration === 'true' && process.guestInstanceId == null) {
require('./web-view/web-view')
require('./web-view/web-view-attributes')
}

View file

@ -0,0 +1,5 @@
const {ipcRenderer} = require('electron')
window.onload = function () {
ipcRenderer.send('webview', typeof WebView)
}

View file

@ -8,7 +8,9 @@ describe('<webview> tag', function () {
this.timeout(20000)
var fixtures = path.join(__dirname, 'fixtures')
var webview = null
let w = null
beforeEach(function () {
webview = new WebView()
@ -18,17 +20,38 @@ describe('<webview> tag', function () {
if (document.body.contains(webview)) {
document.body.removeChild(webview)
}
if (w) {
w.destroy()
w = null
}
})
it('works without script tag in page', function (done) {
let w = new BrowserWindow({show: false})
w = new BrowserWindow({show: false})
ipcMain.once('pong', function () {
w.destroy()
done()
})
w.loadURL('file://' + fixtures + '/pages/webview-no-script.html')
})
it('is disabled when nodeIntegration is disabled', function (done) {
w = new BrowserWindow({
show: false,
webPreferences: {
nodeIntegration: false,
preload: path.join(fixtures, 'module', 'preload-webview.js')
},
})
ipcMain.once('webview', function (event, type) {
if (type === 'undefined') {
done()
} else {
done('WebView still exists')
}
})
w.loadURL('file://' + fixtures + '/pages/webview-no-script.html')
})
describe('src attribute', function () {
it('specifies the page to load', function (done) {
webview.addEventListener('console-message', function (e) {
@ -84,40 +107,6 @@ describe('<webview> tag', function () {
document.body.appendChild(webview)
})
it('disables node integration when disabled on the parent BrowserWindow', function (done) {
var b = undefined
ipcMain.once('answer', function (event, typeofProcess) {
try {
assert.equal(typeofProcess, 'undefined')
done()
} finally {
b.close()
}
})
var windowUrl = require('url').format({
pathname: `${fixtures}/pages/webview-no-node-integration-on-window.html`,
protocol: 'file',
query: {
p: `${fixtures}/pages/web-view-log-process.html`
},
slashes: true
})
var preload = path.join(fixtures, 'module', 'answer.js')
b = new BrowserWindow({
height: 400,
width: 400,
show: false,
webPreferences: {
preload: preload,
nodeIntegration: false,
}
})
b.loadURL(windowUrl)
})
it('disables node integration on child windows when it is disabled on the webview', function (done) {
app.once('browser-window-created', function (event, window) {
assert.equal(window.webContents.getWebPreferences().nodeIntegration, false)