From 87b1dab4972a859be53afedba2369a3a5abe7da0 Mon Sep 17 00:00:00 2001 From: Milan Burda Date: Thu, 4 Jul 2019 18:22:08 +0200 Subject: [PATCH] fix: check parent-child relationship in canAccessWindow (#19077) --- lib/browser/guest-window-manager.js | 31 ++++++++++++++++++----------- 1 file changed, 19 insertions(+), 12 deletions(-) diff --git a/lib/browser/guest-window-manager.js b/lib/browser/guest-window-manager.js index fb8b8ddd5e3e..68987ddb9db0 100644 --- a/lib/browser/guest-window-manager.js +++ b/lib/browser/guest-window-manager.js @@ -156,20 +156,27 @@ const getGuestWindow = function (guestContents) { return guestWindow } +const isChildWindow = function (sender, target) { + return target.getLastWebPreferences().openerId === sender.id +} + +const isRelatedWindow = function (sender, target) { + return isChildWindow(sender, target) || isChildWindow(target, sender) +} + +const isScriptableWindow = function (sender, target) { + return isRelatedWindow(sender, target) && isSameOrigin(sender.getURL(), target.getURL()) +} + +const isNodeIntegrationEnabled = function (sender) { + return sender.getLastWebPreferences().nodeIntegration === true +} + // Checks whether |sender| can access the |target|: -// 1. Check whether |sender| is the parent of |target|. -// 2. Check whether |sender| has node integration, if so it is allowed to -// do anything it wants. -// 3. Check whether the origins match. -// -// However it allows a child window without node integration but with same -// origin to do anything it wants, when its opener window has node integration. -// The W3C does not have anything on this, but from my understanding of the -// security model of |window.opener|, this should be fine. const canAccessWindow = function (sender, target) { - return (target.getLastWebPreferences().openerId === sender.id) || - (sender.getLastWebPreferences().nodeIntegration === true) || - isSameOrigin(sender.getURL(), target.getURL()) + return isChildWindow(sender, target) || + isScriptableWindow(sender, target) || + isNodeIntegrationEnabled(sender) } // Routed window.open messages with raw options