Merge pull request #4897 from atom/node-integration-inheritance

Disable node on child window when disabled on parent
2016-04-02 19:14:58 +09:00 · 2016-04-02 19:14:58 +09:00 · 7bfe80f835
commit 7bfe80f835
parent afdad927b7 527ff66115
8 changed files with 78 additions and 3 deletions
--- a/docs/api/web-view-tag.md
+++ b/docs/api/web-view-tag.md
@ -84,6 +84,9 @@ than the minimum values or greater than the maximum.
 If "on", the guest page in `webview` will have node integration and can use node
 APIs like `require` and `process` to access low level system resources.

+**Note:** Node integration will always be disabled in the `webview` if it is
+disabled on the parent window.
+
 ### `plugins`

 ```html
--- a/docs/api/window-open.md
+++ b/docs/api/window-open.md
@ -23,6 +23,9 @@ Creates a new window and returns an instance of `BrowserWindowProxy` class.
 The `features` string follows the format of standard browser, but each feature
 has to be a field of `BrowserWindow`'s options.

+**Note:** Node integration will always be disabled in the opened `window` if it
+is disabled on the parent window.
+
 ### `window.opener.postMessage(message, targetOrigin)`

 * `message` String
--- a/lib/browser/guest-window-manager.js
+++ b/lib/browser/guest-window-manager.js
@ -35,6 +35,12 @@ var mergeBrowserWindowOptions = function (embedder, options) {
    }
    mergeOptions(options.webPreferences, embedder.getWebPreferences())
  }
+
+  // Disable node integration on child window if disabled on parent window
+  if (embedder.getWebPreferences().nodeIntegration === false) {
+    options.webPreferences.nodeIntegration = false
+  }
+
  return options
 }

--- a/spec/chromium-spec.js
+++ b/spec/chromium-spec.js
@ -160,7 +160,7 @@ describe('chromium feature', function () {
    it('accepts "nodeIntegration" as feature', function (done) {
      var b
      listener = function (event) {
-        assert.equal(event.data, 'undefined')
+        assert.equal(event.data.isProcessGlobalUndefined, true)
        b.close()
        done()
      }
@ -182,6 +182,26 @@ describe('chromium feature', function () {
      b = window.open('file://' + fixtures + '/pages/window-open-size.html', '', 'show=no')
    })

+    it('disables node integration when it is disabled on the parent window', function (done) {
+      var b
+      listener = function (event) {
+        assert.equal(event.data.isProcessGlobalUndefined, true)
+        b.close()
+        done()
+      }
+      window.addEventListener('message', listener)
+
+      var windowUrl = require('url').format({
+        pathname: `${fixtures}/pages/window-opener-no-node-integration.html`,
+        protocol: 'file',
+        query: {
+          p: `${fixtures}/pages/window-opener-node.html`
+        },
+        slashes: true
+      })
+      b = window.open(windowUrl, '', 'nodeIntegration=no,show=no')
+    })
+
    it('does not override child options', function (done) {
      var b, size
      size = {
--- a/spec/fixtures/pages/webview-opener-no-node-integration.html
+++ b/spec/fixtures/pages/webview-opener-no-node-integration.html
@ -0,0 +1,8 @@
+<html>
+<body>
+<script type="text/javascript" charset="utf-8">
+  var windowUrl = decodeURIComponent(window.location.search.substring(3))
+  window.open('file://' + windowUrl, '', 'nodeIntegration=yes,show=no')
+</script>
+</body>
+</html>
--- a/spec/fixtures/pages/window-opener-no-node-integration.html
+++ b/spec/fixtures/pages/window-opener-no-node-integration.html
@ -0,0 +1,15 @@
+<html>
+<body>
+<script type="text/javascript" charset="utf-8">
+  var windowUrl = decodeURIComponent(window.location.search.substring(3))
+  var opened = window.open('file://' + windowUrl, '', 'nodeIntegration=yes,show=no')
+  window.addEventListener('message', function (event) {
+    try {
+      opened.close()
+    } finally {
+      window.opener.postMessage(event.data, '*')
+    }
+  })
+</script>
+</body>
+</html>
--- a/spec/fixtures/pages/window-opener-node.html
+++ b/spec/fixtures/pages/window-opener-node.html
@ -1,7 +1,7 @@
 <html>
 <body>
 <script type="text/javascript" charset="utf-8">
-  window.opener.postMessage(typeof process, '*')
+  window.opener.postMessage({isProcessGlobalUndefined: typeof process === 'undefined'}, '*')
 </script>
 </body>
 </html>
--- a/spec/webview-spec.js
+++ b/spec/webview-spec.js
@ -2,6 +2,7 @@ const assert = require('assert')
 const path = require('path')
 const http = require('http')
 const url = require('url')
+const {app, session} = require('electron').remote

 describe('<webview> tag', function () {
  this.timeout(10000)
@ -74,6 +75,26 @@ describe('<webview> tag', function () {
      document.body.appendChild(webview)
    })

+
+    it('disables node integration on child windows when it is disabled on the webview', function (done) {
+      app.once('browser-window-created', function (event, window) {
+        assert.equal(window.webContents.getWebPreferences().nodeIntegration, false)
+        done()
+      })
+
+      webview.setAttribute('allowpopups', 'on')
+
+      webview.src = url.format({
+        pathname: `${fixtures}/pages/webview-opener-no-node-integration.html`,
+        protocol: 'file',
+        query: {
+          p: `${fixtures}/pages/window-opener-node.html`
+        },
+        slashes: true
+      })
+      document.body.appendChild(webview)
+    })
+
    if (process.platform !== 'win32' || process.execPath.toLowerCase().indexOf('\\out\\d\\') === -1) {
      it('loads native modules when navigation happens', function (done) {
        var listener = function () {
@ -681,7 +702,6 @@ describe('<webview> tag', function () {

  describe('permission-request event', function () {
    function setUpRequestHandler (webview, requested_permission) {
-      const session = require('electron').remote.session
      var listener = function (webContents, permission, callback) {
        if (webContents.getId() === webview.getId()) {
          assert.equal(permission, requested_permission)