Merge pull request #934 from atom/webview-websecurity

Add "disablewebsecurity" attribute for <webview>

atom/browser/api/atom_api_web_contents.cc

@@ -274,6 +274,9 @@ void WebContents::Destroy() {
     if (!destruction_callback_.is_null())
       destruction_callback_.Run();
 
+    // When force destroying the "destroyed" event is not emitted.
+    WebContentsDestroyed();
+
     Observe(nullptr);
     storage_.reset();
   }

atom/browser/atom_browser_client.cc

@@ -96,6 +96,14 @@ void AtomBrowserClient::OverrideWebkitPrefs(
     return;
   }
 
+  // Custom preferences of guest page.
+  int guest_process_id = render_view_host->GetProcess()->GetID();
+  WebViewRendererState::WebViewInfo info;
+  if (WebViewRendererState::GetInstance()->GetInfo(guest_process_id, &info)) {
+    prefs->web_security_enabled = !info.disable_web_security;
+    return;
+  }
+
   NativeWindow* window = NativeWindow::FromRenderView(
       render_view_host->GetProcess()->GetID(),
       render_view_host->GetRoutingID());

atom/browser/lib/guest-view-manager.coffee

@@ -40,8 +40,9 @@ createGuest = (embedder, params) ->
   destroyEvents = ['destroyed', 'crashed', 'did-navigate-to-different-page']
   destroy = ->
     destroyGuest id if guestInstances[id]?
-    embedder.removeListener event, destroy for event in destroyEvents
   embedder.once event, destroy for event in destroyEvents
+  guest.once 'destroyed', ->
+    embedder.removeListener event, destroy for event in destroyEvents
 
   # Init guest web view after attached.
   guest.once 'did-attach', ->
@@ -93,6 +94,7 @@ attachGuest = (embedder, elementInstanceId, guestInstanceId, params) ->
   webViewManager.addGuest guestInstanceId, elementInstanceId, embedder, guest,
     nodeIntegration: params.nodeintegration
     plugins: params.plugins
+    disableWebSecurity: params.disablewebsecurity
     preloadUrl: params.preload ? ''
 
   guest.attachParams = params

atom/browser/web_view/web_view_manager.cc

@@ -41,7 +41,8 @@ struct Converter<atom::WebViewManager::WebViewOptions> {
       return false;
     return options.Get("nodeIntegration", &(out->node_integration)) &&
            options.Get("plugins", &(out->plugins)) &&
-           options.Get("preloadUrl", &(out->preload_url));
+           options.Get("preloadUrl", &(out->preload_url)) &&
+           options.Get("disableWebSecurity", &(out->disable_web_security));
   }
 };
 
@@ -63,7 +64,10 @@ void WebViewManager::AddGuest(int guest_instance_id,
   web_contents_map_[guest_instance_id] = { web_contents, embedder };
 
   WebViewRendererState::WebViewInfo web_view_info = {
-    guest_instance_id, options.node_integration, options.plugins
+    guest_instance_id,
+    options.node_integration,
+    options.plugins,
+    options.disable_web_security,
   };
   net::FileURLToFilePath(options.preload_url, &web_view_info.preload_script);
   content::BrowserThread::PostTask(

atom/browser/web_view/web_view_manager.h

@@ -24,6 +24,7 @@ class WebViewManager : public content::BrowserPluginGuestManager {
   struct WebViewOptions {
     bool node_integration;
     bool plugins;
+    bool disable_web_security;
     GURL preload_url;
   };
 

atom/browser/web_view/web_view_renderer_state.h

@@ -24,6 +24,7 @@ class WebViewRendererState {
     int guest_instance_id;
     bool node_integration;
     bool plugins;
+    bool disable_web_security;
     base::FilePath preload_script;
   };
 

atom/renderer/lib/web-view/web-view-attributes.coffee

@@ -195,6 +195,7 @@ WebViewImpl::setupWebViewAttributes = ->
   @attributes[webViewConstants.ATTRIBUTE_HTTPREFERRER] = new HttpReferrerAttribute(this)
   @attributes[webViewConstants.ATTRIBUTE_NODEINTEGRATION] = new BooleanAttribute(webViewConstants.ATTRIBUTE_NODEINTEGRATION, this)
   @attributes[webViewConstants.ATTRIBUTE_PLUGINS] = new BooleanAttribute(webViewConstants.ATTRIBUTE_PLUGINS, this)
+  @attributes[webViewConstants.ATTRIBUTE_DISABLEWEBSECURITY] = new BooleanAttribute(webViewConstants.ATTRIBUTE_DISABLEWEBSECURITY, this)
   @attributes[webViewConstants.ATTRIBUTE_PRELOAD] = new PreloadAttribute(this)
 
   autosizeAttributes = [

atom/renderer/lib/web-view/web-view-constants.coffee

@@ -12,6 +12,7 @@ module.exports =
   ATTRIBUTE_HTTPREFERRER: 'httpreferrer'
   ATTRIBUTE_NODEINTEGRATION: 'nodeintegration'
   ATTRIBUTE_PLUGINS: 'plugins'
+  ATTRIBUTE_DISABLEWEBSECURITY: 'disablewebsecurity'
   ATTRIBUTE_PRELOAD: 'preload'
 
   # Internal attribute.

atom/renderer/lib/web-view/web-view.coffee

@@ -50,7 +50,6 @@ class WebViewImpl
     # heard back from createGuest yet. We will not reset the flag in this case so
     # that we don't end up allocating a second guest.
     if @guestInstanceId
-      # FIXME
       guestViewInternal.destroyGuest @guestInstanceId
       @guestInstanceId = undefined
       @beforeFirstNavigation = true

docs/api/web-view-tag.md

@@ -112,6 +112,14 @@ after this script has done execution.
 
 Sets the referrer URL for the guest page.
 
+### disablewebsecurity
+
+```html
+<webview src="https://www.github.com/" disablewebsecurity></webview>
+```
+
+If "on", the guest page will have web security disabled.
+
 ## Methods
 
 ### `<webview>`.getUrl()

spec/webview-spec.coffee

@@ -70,6 +70,36 @@ describe '<webview> tag', ->
       webview.src = "file://#{fixtures}/pages/referrer.html"
       document.body.appendChild webview
 
+  describe 'disablewebsecurity attribute', ->
+    it 'does not disable web security when not set', (done) ->
+      src = "
+        <script src='file://#{__dirname}/static/jquery-2.0.3.min.js'></script>
+        <script>console.log('ok');</script>
+      "
+      encoded = btoa(unescape(encodeURIComponent(src)))
+      listener = (e) ->
+        assert /Not allowed to load local resource/.test(e.message)
+        webview.removeEventListener 'console-message', listener
+        done()
+      webview.addEventListener 'console-message', listener
+      webview.src = "data:text/html;base64,#{encoded}"
+      document.body.appendChild webview
+
+    it 'disables web security when set', (done) ->
+      src = "
+        <script src='file://#{__dirname}/static/jquery-2.0.3.min.js'></script>
+        <script>console.log('ok');</script>
+      "
+      encoded = btoa(unescape(encodeURIComponent(src)))
+      listener = (e) ->
+        assert.equal e.message, 'ok'
+        webview.removeEventListener 'console-message', listener
+        done()
+      webview.addEventListener 'console-message', listener
+      webview.setAttribute 'disablewebsecurity', ''
+      webview.src = "data:text/html;base64,#{encoded}"
+      document.body.appendChild webview
+
   describe 'new-window event', ->
     it 'emits when window.open is called', (done) ->
       webview.addEventListener 'new-window', (e) ->