fix: do not trigger CSP violations when checking eval (#30991)

* fix: do not trigger CSP violations when checking eval

* Update shell/renderer/api/electron_api_web_frame.cc

Co-authored-by: Cheng Zhao <zcbenz@gmail.com>

Co-authored-by: Cheng Zhao <zcbenz@gmail.com>
This commit is contained in:
Samuel Attard 2021-10-25 14:11:24 -07:00 committed by GitHub
parent add94f5fe6
commit 63eed52626
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
4 changed files with 35 additions and 26 deletions

View file

@ -77,15 +77,8 @@ const isLocalhost = function () {
*
* @returns {boolean} Is a CSP with `unsafe-eval` set?
*/
const isUnsafeEvalEnabled: () => Promise<boolean> = function () {
return webFrame.executeJavaScript(`(${(() => {
try {
eval(window.trustedTypes.emptyScript); // eslint-disable-line no-eval
} catch {
return false;
}
return true;
}).toString()})()`, false);
const isUnsafeEvalEnabled = () => {
return webFrame._isEvalAllowed();
};
const moreInformation = `\nFor more information and help, consult
@ -174,16 +167,14 @@ const warnAboutDisabledWebSecurity = function (webPreferences?: Electron.WebPref
* Logs a warning message about unset or insecure CSP
*/
const warnAboutInsecureCSP = function () {
isUnsafeEvalEnabled().then((enabled) => {
if (!enabled) return;
if (!isUnsafeEvalEnabled()) return;
const warning = `This renderer process has either no Content Security
Policy set or a policy with "unsafe-eval" enabled. This exposes users of
this app to unnecessary security risks.\n${moreInformation}`;
const warning = `This renderer process has either no Content Security
Policy set or a policy with "unsafe-eval" enabled. This exposes users of
this app to unnecessary security risks.\n${moreInformation}`;
console.warn('%cElectron Security Warning (Insecure Content-Security-Policy)',
'font-weight: bold;', warning);
}).catch(() => {});
console.warn('%cElectron Security Warning (Insecure Content-Security-Policy)',
'font-weight: bold;', warning);
};
/**