mirrors/electron
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages 1 Wiki Activity Actions 1

fix: do not trigger CSP violations when checking eval (#30991)

Browse source 
* fix: do not trigger CSP violations when checking eval

* Update shell/renderer/api/electron_api_web_frame.cc

Co-authored-by: Cheng Zhao <zcbenz@gmail.com>

Co-authored-by: Cheng Zhao <zcbenz@gmail.com>
This commit is contained in:
Samuel Attard 2021-10-25 14:11:24 -07:00 committed by GitHub
parent add94f5fe6
commit 63eed52626
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
4 changed files with 35 additions and 26 deletions
Download patch file Download diff file Expand all files Collapse all files

13
shell/renderer/api/electron_api_web_frame.cc
View file

@ -49,6 +49,8 @@
#include "third_party/blink/public/web/web_script_execution_callback.h"
#include "third_party/blink/public/web/web_script_source.h"
#include "third_party/blink/public/web/web_view.h"
#include "third_party/blink/renderer/core/execution_context/execution_context.h" // nogncheck
#include "third_party/blink/renderer/core/frame/csp/content_security_policy.h" // nogncheck
#include "third_party/blink/renderer/platform/bindings/dom_wrapper_world.h" // nogncheck
#include "ui/base/ime/ime_text_span.h"
#include "url/url_util.h"
@ -369,6 +371,7 @@ class WebFrameRenderer : public gin::Wrappable<WebFrameRenderer>,
.SetMethod("insertText", &WebFrameRenderer::InsertText)
.SetMethod("insertCSS", &WebFrameRenderer::InsertCSS)
.SetMethod("removeInsertedCSS", &WebFrameRenderer::RemoveInsertedCSS)
.SetMethod("_isEvalAllowed", &WebFrameRenderer::IsEvalAllowed)
.SetMethod("executeJavaScript", &WebFrameRenderer::ExecuteJavaScript)
.SetMethod("executeJavaScriptInIsolatedWorld",
&WebFrameRenderer::ExecuteJavaScriptInIsolatedWorld)
@ -637,6 +640,16 @@ class WebFrameRenderer : public gin::Wrappable<WebFrameRenderer>,
}
}
bool IsEvalAllowed(v8::Isolate* isolate) {
content::RenderFrame* render_frame;
if (!MaybeGetRenderFrame(isolate, "isEvalAllowed", &render_frame))
return true;
auto* context = blink::ExecutionContext::From(
render_frame->GetWebFrame()->MainWorldScriptContext());
return !context->GetContentSecurityPolicy()->ShouldCheckEval();
}
v8::Local<v8::Promise> ExecuteJavaScript(gin::Arguments* gin_args,
const std::u16string& code) {
gin_helper::Arguments* args = static_cast<gin_helper::Arguments*>(gin_args);