diff --git a/docs/api/web-view-tag.md b/docs/api/web-view-tag.md index 32380eccce98..b1d3aaead1e5 100644 --- a/docs/api/web-view-tag.md +++ b/docs/api/web-view-tag.md @@ -12,6 +12,9 @@ app. It doesn't have the same permissions as your web page and all interactions between your app and embedded content will be asynchronous. This keeps your app safe from the embedded content. +For security purpose, `webview` can only be used in `BrowserWindow`s that have +`nodeIntegration` enabled. + ## Example To embed a web page in your app, add the `webview` tag to your app's embedder diff --git a/lib/browser/guest-view-manager.js b/lib/browser/guest-view-manager.js index 58775669c2f4..28768fb128dc 100644 --- a/lib/browser/guest-view-manager.js +++ b/lib/browser/guest-view-manager.js @@ -183,10 +183,6 @@ var attachGuest = function (embedder, elementInstanceId, guestInstanceId, params blinkFeatures: params.blinkfeatures } - if (embedder.getWebPreferences().nodeIntegration === false) { - webPreferences.nodeIntegration = false - } - if (params.preload) { webPreferences.preloadURL = params.preload } diff --git a/lib/renderer/init.js b/lib/renderer/init.js index fadf95256865..bff4ea746ca3 100644 --- a/lib/renderer/init.js +++ b/lib/renderer/init.js @@ -70,7 +70,7 @@ if (window.location.protocol === 'chrome-devtools:') { require('./override') // Load webview tag implementation. - if (process.guestInstanceId == null) { + if (nodeIntegration === 'true' && process.guestInstanceId == null) { require('./web-view/web-view') require('./web-view/web-view-attributes') } diff --git a/spec/fixtures/module/preload-webview.js b/spec/fixtures/module/preload-webview.js new file mode 100644 index 000000000000..273065cdaacd --- /dev/null +++ b/spec/fixtures/module/preload-webview.js @@ -0,0 +1,5 @@ +const {ipcRenderer} = require('electron') + +window.onload = function () { + ipcRenderer.send('webview', typeof WebView) +} diff --git a/spec/webview-spec.js b/spec/webview-spec.js index e8a82a15ed39..64f0eb5d5248 100644 --- a/spec/webview-spec.js +++ b/spec/webview-spec.js @@ -8,7 +8,9 @@ describe(' tag', function () { this.timeout(20000) var fixtures = path.join(__dirname, 'fixtures') + var webview = null + let w = null beforeEach(function () { webview = new WebView() @@ -18,17 +20,38 @@ describe(' tag', function () { if (document.body.contains(webview)) { document.body.removeChild(webview) } + if (w) { + w.destroy() + w = null + } }) it('works without script tag in page', function (done) { - let w = new BrowserWindow({show: false}) + w = new BrowserWindow({show: false}) ipcMain.once('pong', function () { - w.destroy() done() }) w.loadURL('file://' + fixtures + '/pages/webview-no-script.html') }) + it('is disabled when nodeIntegration is disabled', function (done) { + w = new BrowserWindow({ + show: false, + webPreferences: { + nodeIntegration: false, + preload: path.join(fixtures, 'module', 'preload-webview.js') + }, + }) + ipcMain.once('webview', function (event, type) { + if (type === 'undefined') { + done() + } else { + done('WebView still exists') + } + }) + w.loadURL('file://' + fixtures + '/pages/webview-no-script.html') + }) + describe('src attribute', function () { it('specifies the page to load', function (done) { webview.addEventListener('console-message', function (e) { @@ -84,40 +107,6 @@ describe(' tag', function () { document.body.appendChild(webview) }) - it('disables node integration when disabled on the parent BrowserWindow', function (done) { - var b = undefined - - ipcMain.once('answer', function (event, typeofProcess) { - try { - assert.equal(typeofProcess, 'undefined') - done() - } finally { - b.close() - } - }) - - var windowUrl = require('url').format({ - pathname: `${fixtures}/pages/webview-no-node-integration-on-window.html`, - protocol: 'file', - query: { - p: `${fixtures}/pages/web-view-log-process.html` - }, - slashes: true - }) - var preload = path.join(fixtures, 'module', 'answer.js') - - b = new BrowserWindow({ - height: 400, - width: 400, - show: false, - webPreferences: { - preload: preload, - nodeIntegration: false, - } - }) - b.loadURL(windowUrl) - }) - it('disables node integration on child windows when it is disabled on the webview', function (done) { app.once('browser-window-created', function (event, window) { assert.equal(window.webContents.getWebPreferences().nodeIntegration, false)