sec: deprecate some webPreference defaults to be secure-by-default (#14284)

* feat: deprecate default value of nodeIntegration * Use DeprecationStatus::Stable as the default instead of shadowing * change wording of deprecations * chore: also deprecate kWebviewTag and kContextIsolation * chore: do as we preach, lets be secure-by-default in the default app
2018-08-30 06:14:04 +12:00 · 2018-08-30 06:14:04 +12:00 · 66d6ba8689
commit 66d6ba8689
parent 9b2c14a745
9 changed files with 100 additions and 43 deletions
--- a/lib/renderer/security-warnings.js
+++ b/lib/renderer/security-warnings.js
@ -61,6 +61,13 @@ const getIsRemoteProtocol = function () {
 * @returns {boolean} Is a CSP with `unsafe-eval` set?
 */
 const isUnsafeEvalEnabled = function () {
+  // FIXME(MarshallOfSound): Although not exactly true, this warning is incorrect
+  // when contextIsolation is enabled
+  // FIXME(MarshallOfSound): Once remote issues have gone away we can remove
+  // the falsey check
+  const prefs = getWebPreferences()
+  if (prefs && prefs.contextIsolation) return false
+
  try {
    //eslint-disable-next-line
    new Function('');