feat: only allow bundled preload scripts (#17308)

2019-03-28 11:38:51 +01:00 · 2019-03-28 11:38:51 +01:00 · 8cf15cc931
commit 8cf15cc931
parent 3d307e5610
11 changed files with 79 additions and 3 deletions
--- a/docs/api/breaking-changes.md
+++ b/docs/api/breaking-changes.md
@ -81,6 +81,10 @@ powerMonitor.querySystemIdleTime(callback)
 const idleTime = getSystemIdleTime()
 ```

+## Preload scripts outside of app path are not allowed
+
+For security reasons, preload scripts can only be loaded from a subpath of the [app path](app.md#appgetapppath).
+
 # Planned Breaking API Changes (5.0)

 ## `new BrowserWindow({ webPreferences })`
--- a/docs/api/browser-window.md
+++ b/docs/api/browser-window.md
@ -266,6 +266,8 @@ It creates a new `BrowserWindow` with native properties as set by the `options`.
      When node integration is turned off, the preload script can reintroduce
      Node global symbols back to the global scope. See example
      [here](process.md#event-loaded).
+      **Note:** For security reasons, preload scripts can only be loaded from
+      a subpath of the [app path](app.md#appgetapppath).
    * `sandbox` Boolean (optional) - If set, this will sandbox the renderer
      associated with the window, making it compatible with the Chromium
      OS-level sandbox and disabling the Node.js engine. This is not the same as
--- a/docs/api/sandbox-option.md
+++ b/docs/api/sandbox-option.md
@ -77,7 +77,7 @@ app.on('ready', () => {
  win = new BrowserWindow({
    webPreferences: {
      sandbox: true,
-      preload: 'preload.js'
+      preload: path.join(app.getAppPath(), 'preload.js')
    }
  })
  win.loadURL('http://google.com')
--- a/docs/api/session.md
+++ b/docs/api/session.md
@ -561,6 +561,8 @@ Returns `Promise<void>` - resolves when the session’s HTTP authentication cach
 Adds scripts that will be executed on ALL web contents that are associated with
 this session just before normal `preload` scripts run.

+**Note:** For security reasons, preload scripts can only be loaded from a subpath of the [app path](app.md#appgetapppath).
+
 #### `ses.getPreloads()`

 Returns `String[]` an array of paths to preload scripts that have been
--- a/docs/api/webview-tag.md
+++ b/docs/api/webview-tag.md
@ -162,6 +162,9 @@ When the guest page doesn't have node integration this script will still have
 access to all Node APIs, but global objects injected by Node will be deleted
 after this script has finished executing.

+**Note:** For security reasons, preload scripts can only be loaded from
+a subpath of the [app path](app.md#appgetapppath).
+
 **Note:** This option will be appear as `preloadURL` (not `preload`) in
 the `webPreferences` specified to the `will-attach-webview` event.

--- a/docs/tutorial/security.md
+++ b/docs/tutorial/security.md
@ -193,7 +193,7 @@ const mainWindow = new BrowserWindow({
  webPreferences: {
    nodeIntegration: false,
    nodeIntegrationInWorker: false,
-    preload: './preload.js'
+    preload: path.join(app.getAppPath(), 'preload.js')
  }
 })

@ -260,7 +260,7 @@ very small investment.
 const mainWindow = new BrowserWindow({
  webPreferences: {
    contextIsolation: true,
-    preload: 'preload.js'
+    preload: path.join(app.getAppPath(), 'preload.js')
  }
 })
 ```