feat: only allow bundled preload scripts (#17308)

This commit is contained in:
Milan Burda 2019-03-28 11:38:51 +01:00 committed by Alexey Kuzmin
parent 3d307e5610
commit 8cf15cc931
11 changed files with 79 additions and 3 deletions

View file

@ -81,6 +81,10 @@ powerMonitor.querySystemIdleTime(callback)
const idleTime = getSystemIdleTime()
```
## Preload scripts outside of app path are not allowed
For security reasons, preload scripts can only be loaded from a subpath of the [app path](app.md#appgetapppath).
# Planned Breaking API Changes (5.0)
## `new BrowserWindow({ webPreferences })`

View file

@ -266,6 +266,8 @@ It creates a new `BrowserWindow` with native properties as set by the `options`.
When node integration is turned off, the preload script can reintroduce
Node global symbols back to the global scope. See example
[here](process.md#event-loaded).
**Note:** For security reasons, preload scripts can only be loaded from
a subpath of the [app path](app.md#appgetapppath).
* `sandbox` Boolean (optional) - If set, this will sandbox the renderer
associated with the window, making it compatible with the Chromium
OS-level sandbox and disabling the Node.js engine. This is not the same as

View file

@ -77,7 +77,7 @@ app.on('ready', () => {
win = new BrowserWindow({
webPreferences: {
sandbox: true,
preload: 'preload.js'
preload: path.join(app.getAppPath(), 'preload.js')
}
})
win.loadURL('http://google.com')

View file

@ -561,6 +561,8 @@ Returns `Promise<void>` - resolves when the sessions HTTP authentication cach
Adds scripts that will be executed on ALL web contents that are associated with
this session just before normal `preload` scripts run.
**Note:** For security reasons, preload scripts can only be loaded from a subpath of the [app path](app.md#appgetapppath).
#### `ses.getPreloads()`
Returns `String[]` an array of paths to preload scripts that have been

View file

@ -162,6 +162,9 @@ When the guest page doesn't have node integration this script will still have
access to all Node APIs, but global objects injected by Node will be deleted
after this script has finished executing.
**Note:** For security reasons, preload scripts can only be loaded from
a subpath of the [app path](app.md#appgetapppath).
**Note:** This option will be appear as `preloadURL` (not `preload`) in
the `webPreferences` specified to the `will-attach-webview` event.

View file

@ -193,7 +193,7 @@ const mainWindow = new BrowserWindow({
webPreferences: {
nodeIntegration: false,
nodeIntegrationInWorker: false,
preload: './preload.js'
preload: path.join(app.getAppPath(), 'preload.js')
}
})
@ -260,7 +260,7 @@ very small investment.
const mainWindow = new BrowserWindow({
webPreferences: {
contextIsolation: true,
preload: 'preload.js'
preload: path.join(app.getAppPath(), 'preload.js')
}
})
```