Add option to override webview security

2017-05-06 22:10:42 -07:00 · 2017-05-06 22:10:42 -07:00 · 94d054cf11
commit 94d054cf11
parent b4a8ed01f1
7 changed files with 64 additions and 2 deletions
--- a/docs/api/browser-window.md
+++ b/docs/api/browser-window.md
@ -307,6 +307,11 @@ It creates a new `BrowserWindow` with native properties as set by the `options`.
      'Electron Isolated Context' entry in the combo box at the top of the
      Console tab. **Note:** This option is currently experimental and may
      change or be removed in future Electron releases.
+    * `enableWebViewOverride` Boolean (optional) - Whether to enable [webview-tag](webview-tag.md)
+      ignoring the security restriction based on `nodeIntegration`. Enabling this option will
+      have security implication on creating `webview` with `nodeIntegration` disabled. To avoid the
+      security risk, listen to `will-create-webview` event on [web-contents](web-contents.md) and 
+      stop creating `webview` or removing preload scripts.

 When setting minimum or maximum window size with `minWidth`/`maxWidth`/
 `minHeight`/`maxHeight`, it only constrains the users. It won't prevent you from
--- a/docs/api/webview-tag.md
+++ b/docs/api/webview-tag.md
@ -15,6 +15,10 @@ between your app and embedded content will be asynchronous. This keeps your app
 safe from the embedded content. **Note:** Most methods called on the
 webview from the host page require a syncronous call to the main process.

+For security purposes, `webview` can only be used in `BrowserWindow`s that have
+`nodeIntegration` enabled. You can override this security restiction using
+`enableWebViewOverride` option on [browser-window](browser-window.md).
+
 ## Example

 To embed a web page in your app, add the `webview` tag to your app's embedder