mirrors/electron
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages 1 Wiki Activity Actions 1

Blink: Plumb correct security origin for isolated world CSPs.

Browse source 
1395190
This commit is contained in:
deepak1556 2019-01-22 02:15:15 +05:30
parent 2c282203b5
commit 606c84b302
3 changed files with 23 additions and 45 deletions
Download patch file Download diff file Expand all files Collapse all files

46
atom/renderer/api/atom_api_web_frame.cc
View file

@ -22,6 +22,7 @@
#include "native_mate/dictionary.h" #include "native_mate/dictionary.h"
#include "native_mate/object_template_builder.h" #include "native_mate/object_template_builder.h"
#include "third_party/blink/public/platform/web_cache.h" #include "third_party/blink/public/platform/web_cache.h"
#include "third_party/blink/public/platform/web_isolated_world_info.h"
#include "third_party/blink/public/web/web_custom_element.h" #include "third_party/blink/public/web/web_custom_element.h"
#include "third_party/blink/public/web/web_document.h" #include "third_party/blink/public/web/web_document.h"
#include "third_party/blink/public/web/web_element.h" #include "third_party/blink/public/web/web_element.h"
@ -377,46 +378,27 @@ void ExecuteJavaScriptInIsolatedWorld(
scriptExecutionType, callback.release()); scriptExecutionType, callback.release());
} }
void SetIsolatedWorldSecurityOrigin(v8::Local<v8::Value> window,
int world_id,
const std::string& origin_url) {
GetRenderFrame(window)->GetWebFrame()->SetIsolatedWorldSecurityOrigin(
world_id, blink::WebSecurityOrigin::CreateFromString(
blink::WebString::FromUTF8(origin_url)));
}
void SetIsolatedWorldContentSecurityPolicy(v8::Local<v8::Value> window,
int world_id,
const std::string& security_policy) {
GetRenderFrame(window)->GetWebFrame()->SetIsolatedWorldContentSecurityPolicy(
world_id, blink::WebString::FromUTF8(security_policy));
}
void SetIsolatedWorldHumanReadableName(v8::Local<v8::Value> window,
int world_id,
const std::string& name) {
GetRenderFrame(window)->GetWebFrame()->SetIsolatedWorldHumanReadableName(
world_id, blink::WebString::FromUTF8(name));
}
void SetIsolatedWorldInfo(v8::Local<v8::Value> window, void SetIsolatedWorldInfo(v8::Local<v8::Value> window,
int world_id, int world_id,
const mate::Dictionary& options, const mate::Dictionary& options,
mate::Arguments* args) { mate::Arguments* args) {
std::string origin, csp, name; std::string origin_url, security_policy, name;
options.Get("securityOrigin", &origin); options.Get("securityOrigin", &origin_url);
options.Get("csp", &csp); options.Get("csp", &security_policy);
options.Get("name", &name); options.Get("name", &name);
if (!csp.empty() && origin.empty()) { if (!security_policy.empty() && origin_url.empty()) {
args->ThrowError( args->ThrowError(
"If csp is specified, securityOrigin should also be specified"); "If csp is specified, securityOrigin should also be specified");
return; return;
} }
SetIsolatedWorldSecurityOrigin(window, world_id, origin); blink::WebIsolatedWorldInfo info;
SetIsolatedWorldContentSecurityPolicy(window, world_id, csp); info.security_origin = blink::WebSecurityOrigin::CreateFromString(
SetIsolatedWorldHumanReadableName(window, world_id, name); blink::WebString::FromUTF8(origin_url));
info.content_security_policy = blink::WebString::FromUTF8(security_policy);
info.human_readable_name = blink::WebString::FromUTF8(name);
GetRenderFrame(window)->GetWebFrame()->SetIsolatedWorldInfo(world_id, info);
} }
blink::WebCache::ResourceTypeStats GetResourceUsage(v8::Isolate* isolate) { blink::WebCache::ResourceTypeStats GetResourceUsage(v8::Isolate* isolate) {
@ -550,12 +532,6 @@ void Initialize(v8::Local<v8::Object> exports,
dict.SetMethod("executeJavaScript", &ExecuteJavaScript); dict.SetMethod("executeJavaScript", &ExecuteJavaScript);
dict.SetMethod("executeJavaScriptInIsolatedWorld", dict.SetMethod("executeJavaScriptInIsolatedWorld",
&ExecuteJavaScriptInIsolatedWorld); &ExecuteJavaScriptInIsolatedWorld);
dict.SetMethod("_setIsolatedWorldSecurityOrigin",
&SetIsolatedWorldSecurityOrigin);
dict.SetMethod("_setIsolatedWorldContentSecurityPolicy",
&SetIsolatedWorldContentSecurityPolicy);
dict.SetMethod("_setIsolatedWorldHumanReadableName",
&SetIsolatedWorldHumanReadableName);
dict.SetMethod("setIsolatedWorldInfo", &SetIsolatedWorldInfo); dict.SetMethod("setIsolatedWorldInfo", &SetIsolatedWorldInfo);
dict.SetMethod("getResourceUsage", &GetResourceUsage); dict.SetMethod("getResourceUsage", &GetResourceUsage);
dict.SetMethod("clearCache", &ClearCache); dict.SetMethod("clearCache", &ClearCache);

13
atom/renderer/atom_render_frame_observer.cc
View file

@ -21,6 +21,7 @@
#include "native_mate/dictionary.h" #include "native_mate/dictionary.h"
#include "net/base/net_module.h" #include "net/base/net_module.h"
#include "net/grit/net_resources.h" #include "net/grit/net_resources.h"
#include "third_party/blink/public/platform/web_isolated_world_info.h"
#include "third_party/blink/public/web/blink.h" #include "third_party/blink/public/web/blink.h"
#include "third_party/blink/public/web/web_document.h" #include "third_party/blink/public/web/web_document.h"
#include "third_party/blink/public/web/web_draggable_region.h" #include "third_party/blink/public/web/web_draggable_region.h"
@ -131,16 +132,14 @@ void AtomRenderFrameObserver::OnDestruct() {
void AtomRenderFrameObserver::CreateIsolatedWorldContext() { void AtomRenderFrameObserver::CreateIsolatedWorldContext() {
auto* frame = render_frame_->GetWebFrame(); auto* frame = render_frame_->GetWebFrame();
blink::WebIsolatedWorldInfo info;
// This maps to the name shown in the context combo box in the Console tab // This maps to the name shown in the context combo box in the Console tab
// of the dev tools. // of the dev tools.
frame->SetIsolatedWorldHumanReadableName( info.human_readable_name =
World::ISOLATED_WORLD, blink::WebString::FromUTF8("Electron Isolated Context");
blink::WebString::FromUTF8("Electron Isolated Context"));
// Setup document's origin policy in isolated world // Setup document's origin policy in isolated world
frame->SetIsolatedWorldSecurityOrigin( info.security_origin = frame->GetDocument().GetSecurityOrigin();
World::ISOLATED_WORLD, frame->GetDocument().GetSecurityOrigin()); frame->SetIsolatedWorldInfo(World::ISOLATED_WORLD, info);
// Create initial script context in isolated world // Create initial script context in isolated world
blink::WebScriptSource source("void 0"); blink::WebScriptSource source("void 0");

9
lib/renderer/api/web-frame.js
View file

@ -53,17 +53,20 @@ class WebFrame extends EventEmitter {
// TODO(nitsakh): Remove in 6.0 // TODO(nitsakh): Remove in 6.0
setIsolatedWorldSecurityOrigin (worldId, securityOrigin) { setIsolatedWorldSecurityOrigin (worldId, securityOrigin) {
deprecate.warn('webFrame.setIsolatedWorldSecurityOrigin', 'webFrame.setIsolatedWorldInfo') deprecate.warn('webFrame.setIsolatedWorldSecurityOrigin', 'webFrame.setIsolatedWorldInfo')
binding._setIsolatedWorldSecurityOrigin(this.context, worldId, securityOrigin) binding.setIsolatedWorldInfo(this.context, worldId, { securityOrigin })
} }
setIsolatedWorldContentSecurityPolicy (worldId, csp) { setIsolatedWorldContentSecurityPolicy (worldId, csp) {
deprecate.warn('webFrame.setIsolatedWorldContentSecurityPolicy', 'webFrame.setIsolatedWorldInfo') deprecate.warn('webFrame.setIsolatedWorldContentSecurityPolicy', 'webFrame.setIsolatedWorldInfo')
binding._setIsolatedWorldContentSecurityPolicy(this.context, worldId, csp) binding.setIsolatedWorldInfo(this.context, worldId, {
securityOrigin: window.location.origin,
csp
})
} }
setIsolatedWorldHumanReadableName (worldId, name) { setIsolatedWorldHumanReadableName (worldId, name) {
deprecate.warn('webFrame.setIsolatedWorldHumanReadableName', 'webFrame.setIsolatedWorldInfo') deprecate.warn('webFrame.setIsolatedWorldHumanReadableName', 'webFrame.setIsolatedWorldInfo')
binding._setIsolatedWorldHumanReadableName(this.context, worldId, name) binding.setIsolatedWorldInfo(this.context, worldId, { name })
} }
} }