Merge pull request #4897 from atom/node-integration-inheritance

Disable node on child window when disabled on parent

docs/api/web-view-tag.md

@@ -84,6 +84,9 @@ than the minimum values or greater than the maximum.
 If "on", the guest page in `webview` will have node integration and can use node
 APIs like `require` and `process` to access low level system resources.
 
+**Note:** Node integration will always be disabled in the `webview` if it is
+disabled on the parent window.
+
 ### `plugins`
 
 ```html

docs/api/window-open.md

@@ -23,6 +23,9 @@ Creates a new window and returns an instance of `BrowserWindowProxy` class.
 The `features` string follows the format of standard browser, but each feature
 has to be a field of `BrowserWindow`'s options.
 
+**Note:** Node integration will always be disabled in the opened `window` if it
+is disabled on the parent window.
+
 ### `window.opener.postMessage(message, targetOrigin)`
 
 * `message` String

lib/browser/guest-window-manager.js

@@ -35,6 +35,12 @@ var mergeBrowserWindowOptions = function (embedder, options) {
     }
     mergeOptions(options.webPreferences, embedder.getWebPreferences())
   }
+
+  // Disable node integration on child window if disabled on parent window
+  if (embedder.getWebPreferences().nodeIntegration === false) {
+    options.webPreferences.nodeIntegration = false
+  }
+
   return options
 }
 

spec/chromium-spec.js

@@ -160,7 +160,7 @@ describe('chromium feature', function () {
     it('accepts "nodeIntegration" as feature', function (done) {
       var b
       listener = function (event) {
-        assert.equal(event.data, 'undefined')
+        assert.equal(event.data.isProcessGlobalUndefined, true)
         b.close()
         done()
       }
@@ -182,6 +182,26 @@ describe('chromium feature', function () {
       b = window.open('file://' + fixtures + '/pages/window-open-size.html', '', 'show=no')
     })
 
+    it('disables node integration when it is disabled on the parent window', function (done) {
+      var b
+      listener = function (event) {
+        assert.equal(event.data.isProcessGlobalUndefined, true)
+        b.close()
+        done()
+      }
+      window.addEventListener('message', listener)
+
+      var windowUrl = require('url').format({
+        pathname: `${fixtures}/pages/window-opener-no-node-integration.html`,
+        protocol: 'file',
+        query: {
+          p: `${fixtures}/pages/window-opener-node.html`
+        },
+        slashes: true
+      })
+      b = window.open(windowUrl, '', 'nodeIntegration=no,show=no')
+    })
+
     it('does not override child options', function (done) {
       var b, size
       size = {

spec/fixtures/pages/webview-opener-no-node-integration.html

@@ -0,0 +1,8 @@
+<html>
+<body>
+<script type="text/javascript" charset="utf-8">
+  var windowUrl = decodeURIComponent(window.location.search.substring(3))
+  window.open('file://' + windowUrl, '', 'nodeIntegration=yes,show=no')
+</script>
+</body>
+</html>

spec/fixtures/pages/window-opener-no-node-integration.html

@@ -0,0 +1,15 @@
+<html>
+<body>
+<script type="text/javascript" charset="utf-8">
+  var windowUrl = decodeURIComponent(window.location.search.substring(3))
+  var opened = window.open('file://' + windowUrl, '', 'nodeIntegration=yes,show=no')
+  window.addEventListener('message', function (event) {
+    try {
+      opened.close()
+    } finally {
+      window.opener.postMessage(event.data, '*')
+    }
+  })
+</script>
+</body>
+</html>

spec/fixtures/pages/window-opener-node.html

@@ -1,7 +1,7 @@
 <html>
 <body>
 <script type="text/javascript" charset="utf-8">
-  window.opener.postMessage(typeof process, '*')
+  window.opener.postMessage({isProcessGlobalUndefined: typeof process === 'undefined'}, '*')
 </script>
 </body>
 </html>

spec/webview-spec.js

@@ -2,6 +2,7 @@ const assert = require('assert')
 const path = require('path')
 const http = require('http')
 const url = require('url')
+const {app, session} = require('electron').remote
 
 describe('<webview> tag', function () {
   this.timeout(10000)
@@ -74,6 +75,26 @@ describe('<webview> tag', function () {
       document.body.appendChild(webview)
     })
 
+
+    it('disables node integration on child windows when it is disabled on the webview', function (done) {
+      app.once('browser-window-created', function (event, window) {
+        assert.equal(window.webContents.getWebPreferences().nodeIntegration, false)
+        done()
+      })
+
+      webview.setAttribute('allowpopups', 'on')
+
+      webview.src = url.format({
+        pathname: `${fixtures}/pages/webview-opener-no-node-integration.html`,
+        protocol: 'file',
+        query: {
+          p: `${fixtures}/pages/window-opener-node.html`
+        },
+        slashes: true
+      })
+      document.body.appendChild(webview)
+    })
+
     if (process.platform !== 'win32' || process.execPath.toLowerCase().indexOf('\\out\\d\\') === -1) {
       it('loads native modules when navigation happens', function (done) {
         var listener = function () {
@@ -681,7 +702,6 @@ describe('<webview> tag', function () {
 
   describe('permission-request event', function () {
     function setUpRequestHandler (webview, requested_permission) {
-      const session = require('electron').remote.session
       var listener = function (webContents, permission, callback) {
         if (webContents.getId() === webview.getId()) {
           assert.equal(permission, requested_permission)