feat: enable mixed-sandbox mode by default (#15894)

2019-01-22 10:44:28 -08:00 · 2019-01-22 10:44:28 -08:00 · 92b9525cfd
commit 92b9525cfd
parent 1918e76913
12 changed files with 15 additions and 91 deletions
--- a/atom/browser/api/atom_api_app.cc
+++ b/atom/browser/api/atom_api_app.cc
@ -1250,19 +1250,6 @@ void App::EnableSandbox(mate::Arguments* args) {
  command_line->AppendSwitch(switches::kEnableSandbox);
 }

-void App::EnableMixedSandbox(mate::Arguments* args) {
-  if (Browser::Get()->is_ready()) {
-    args->ThrowError(
-        "app.enableMixedSandbox() can only be called "
-        "before app is ready");
-    return;
-  }
-
-  auto* command_line = base::CommandLine::ForCurrentProcess();
-  RemoveNoSandboxSwitch(command_line);
-  command_line->AppendSwitch(switches::kEnableMixedSandbox);
-}
-
 #if defined(OS_MACOSX)
 bool App::MoveToApplicationsFolder(mate::Arguments* args) {
  return ui::cocoa::AtomBundleMover::Move(args);
@ -1370,8 +1357,7 @@ void App::BuildPrototype(v8::Isolate* isolate,
      .SetMethod("startAccessingSecurityScopedResource",
                 &App::StartAccessingSecurityScopedResource)
 #endif
-      .SetMethod("enableSandbox", &App::EnableSandbox)
-      .SetMethod("enableMixedSandbox", &App::EnableMixedSandbox);
+      .SetMethod("enableSandbox", &App::EnableSandbox);
 }

 }  // namespace api
--- a/atom/browser/api/atom_api_app.h
+++ b/atom/browser/api/atom_api_app.h
@ -206,7 +206,6 @@ class App : public AtomBrowserClient::Delegate,
  v8::Local<v8::Promise> GetGPUInfo(v8::Isolate* isolate,
                                    const std::string& info_type);
  void EnableSandbox(mate::Arguments* args);
-  void EnableMixedSandbox(mate::Arguments* args);

 #if defined(OS_MACOSX)
  bool MoveToApplicationsFolder(mate::Arguments* args);
--- a/atom/browser/atom_browser_client.cc
+++ b/atom/browser/atom_browser_client.cc
@ -71,6 +71,7 @@
 #include "services/device/public/cpp/geolocation/location_provider.h"
 #include "services/network/public/cpp/resource_request_body.h"
 #include "services/proxy_resolver/public/mojom/proxy_resolver.mojom.h"
+#include "services/service_manager/sandbox/switches.h"
 #include "ui/base/l10n/l10n_util.h"
 #include "ui/base/resource/resource_bundle.h"
 #include "v8/include/v8.h"
@ -504,6 +505,16 @@ void AtomBrowserClient::AppendExtraCommandLineSwitches(

  content::WebContents* web_contents = GetWebContentsFromProcessID(process_id);
  if (web_contents) {
+    // devtools processes must be launched unsandboxed in order for the remote
+    // API to work in devtools extensions. This is due to the fact that the
+    // remote API assumes that it will only be used from the main frame, but
+    // devtools extensions are loaded from an iframe.
+    // It would be possible to sandbox devtools extensions processes by default
+    // if we made the remote API work with multiple frames.
+    if (web_contents->GetVisibleURL().SchemeIs("chrome-devtools")) {
+      command_line->AppendSwitch(service_manager::switches::kNoSandbox);
+      command_line->AppendSwitch(::switches::kNoZygote);
+    }
    auto* web_preferences = WebContentsPreferences::From(web_contents);
    if (web_preferences)
      web_preferences->AppendCommandLineSwitches(command_line);