feat: add security warnings to sandboxed renderers (#14869)

Also refactor not to use the remote module.
2018-10-03 21:36:12 +02:00 · 2018-10-03 21:36:12 +02:00 · 5efb0fdff1
commit 5efb0fdff1
parent de020d0a5e
5 changed files with 327 additions and 224 deletions
--- a/spec/security-warnings-spec.js
+++ b/spec/security-warnings-spec.js
@ -84,6 +84,22 @@ describe('security warnings', () => {
    w.loadURL(`http://127.0.0.1:8881/base-page-security.html`)
  })

+  it('should warn about disabled webSecurity (sandboxed)', (done) => {
+    w = new BrowserWindow({
+      show: false,
+      webPreferences: {
+        webSecurity: false,
+        sandbox: true
+      }
+    })
+    w.webContents.once('console-message', (e, level, message) => {
+      assert(message.includes('Disabled webSecurity'), message)
+      done()
+    })
+
+    w.loadURL(`http://127.0.0.1:8881/base-page-security.html`)
+  })
+
  it('should warn about insecure Content-Security-Policy', (done) => {
    w = new BrowserWindow({
      show: false,
@ -101,6 +117,23 @@ describe('security warnings', () => {
    w.loadURL(`http://127.0.0.1:8881/base-page-security.html`)
  })

+  it('should warn about insecure Content-Security-Policy (sandboxed)', (done) => {
+    w = new BrowserWindow({
+      show: false,
+      webPreferences: {
+        sandbox: true
+      }
+    })
+
+    w.webContents.once('console-message', (e, level, message) => {
+      assert(message.includes('Insecure Content-Security-Policy'), message)
+      done()
+    })
+
+    useCsp = false
+    w.loadURL(`http://127.0.0.1:8881/base-page-security.html`)
+  })
+
  it('should warn about allowRunningInsecureContent', (done) => {
    w = new BrowserWindow({
      show: false,
@ -117,6 +150,22 @@ describe('security warnings', () => {
    w.loadURL(`http://127.0.0.1:8881/base-page-security.html`)
  })

+  it('should warn about allowRunningInsecureContent (sandboxed)', (done) => {
+    w = new BrowserWindow({
+      show: false,
+      webPreferences: {
+        allowRunningInsecureContent: true,
+        sandbox: true
+      }
+    })
+    w.webContents.once('console-message', (e, level, message) => {
+      assert(message.includes('allowRunningInsecureContent'), message)
+      done()
+    })
+
+    w.loadURL(`http://127.0.0.1:8881/base-page-security.html`)
+  })
+
  it('should warn about experimentalFeatures', (done) => {
    w = new BrowserWindow({
      show: false,
@ -133,6 +182,22 @@ describe('security warnings', () => {
    w.loadURL(`http://127.0.0.1:8881/base-page-security.html`)
  })

+  it('should warn about experimentalFeatures (sandboxed)', (done) => {
+    w = new BrowserWindow({
+      show: false,
+      webPreferences: {
+        experimentalFeatures: true,
+        sandbox: true
+      }
+    })
+    w.webContents.once('console-message', (e, level, message) => {
+      assert(message.includes('experimentalFeatures'), message)
+      done()
+    })
+
+    w.loadURL(`http://127.0.0.1:8881/base-page-security.html`)
+  })
+
  it('should warn about enableBlinkFeatures', (done) => {
    w = new BrowserWindow({
      show: false,
@ -149,6 +214,22 @@ describe('security warnings', () => {
    w.loadURL(`http://127.0.0.1:8881/base-page-security.html`)
  })

+  it('should warn about enableBlinkFeatures (sandboxed)', (done) => {
+    w = new BrowserWindow({
+      show: false,
+      webPreferences: {
+        enableBlinkFeatures: ['my-cool-feature'],
+        sandbox: true
+      }
+    })
+    w.webContents.once('console-message', (e, level, message) => {
+      assert(message.includes('enableBlinkFeatures'), message)
+      done()
+    })
+
+    w.loadURL(`http://127.0.0.1:8881/base-page-security.html`)
+  })
+
  it('should warn about allowpopups', (done) => {
    w = new BrowserWindow({
      show: false,
@ -164,9 +245,24 @@ describe('security warnings', () => {
    w.loadURL(`http://127.0.0.1:8881/webview-allowpopups.html`)
  })

+  it('should warn about allowpopups (sandboxed)', (done) => {
+    w = new BrowserWindow({
+      show: false,
+      webPreferences: {
+        sandbox: true
+      }
+    })
+    w.webContents.once('console-message', (e, level, message) => {
+      assert(message.includes('allowpopups'), message)
+      done()
+    })
+
+    w.loadURL(`http://127.0.0.1:8881/webview-allowpopups.html`)
+  })
+
  it('should warn about insecure resources', (done) => {
    w = new BrowserWindow({
-      show: true,
+      show: false,
      webPreferences: {
        nodeIntegration: false
      }
@ -179,4 +275,20 @@ describe('security warnings', () => {
    w.loadURL(`http://127.0.0.1:8881/insecure-resources.html`)
    w.webContents.openDevTools()
  })
+
+  it('should warn about insecure resources (sandboxed)', (done) => {
+    w = new BrowserWindow({
+      show: false,
+      webPreferences: {
+        sandbox: true
+      }
+    })
+    w.webContents.once('console-message', (e, level, message) => {
+      assert(message.includes('Insecure Resources'), message)
+      done()
+    })
+
+    w.loadURL(`http://127.0.0.1:8881/insecure-resources.html`)
+    w.webContents.openDevTools()
+  })
 })