mirrors/electron
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages 1 Wiki Activity Actions

add options to webFrame.registerURLSchemeAsPrivileged

Browse source
This commit is contained in:
Paul Frazee 2016-10-18 15:52:41 -05:00
parent 104f8d6057
commit a5c62bb264
4 changed files with 136 additions and 27 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

45
atom/renderer/api/atom_api_web_frame.cc
View file

@ -140,17 +140,44 @@ void WebFrame::RegisterURLSchemeAsBypassingCSP(const std::string& scheme) {
blink::WebString::fromUTF8(scheme)); blink::WebString::fromUTF8(scheme));
} }
void WebFrame::RegisterURLSchemeAsPrivileged(const std::string& scheme) { void WebFrame::RegisterURLSchemeAsPrivileged(const std::string& scheme,
mate::Arguments* args) {
// Read optional flags
bool secure = true;
bool bypassCSP = true;
bool allowServiceWorkers = true;
bool supportFetchAPI = true;
bool corsEnabled = true;
if (args->Length() == 2) {
mate::Dictionary options;
if (args->GetNext(&options)) {
options.Get("secure", &secure);
options.Get("bypassCSP", &bypassCSP);
options.Get("allowServiceWorkers", &allowServiceWorkers);
options.Get("supportFetchAPI", &supportFetchAPI);
options.Get("corsEnabled", &corsEnabled);
}
}
// Register scheme to privileged list (https, wss, data, chrome-extension) // Register scheme to privileged list (https, wss, data, chrome-extension)
blink::WebString privileged_scheme(blink::WebString::fromUTF8(scheme)); blink::WebString privileged_scheme(blink::WebString::fromUTF8(scheme));
blink::WebSecurityPolicy::registerURLSchemeAsSecure(privileged_scheme); if (secure) {
blink::WebSecurityPolicy::registerURLSchemeAsBypassingContentSecurityPolicy( blink::WebSecurityPolicy::registerURLSchemeAsSecure(privileged_scheme);
privileged_scheme); }
blink::WebSecurityPolicy::registerURLSchemeAsAllowingServiceWorkers( if (bypassCSP) {
privileged_scheme); blink::WebSecurityPolicy::registerURLSchemeAsBypassingContentSecurityPolicy(
blink::WebSecurityPolicy::registerURLSchemeAsSupportingFetchAPI( privileged_scheme);
privileged_scheme); }
blink::WebSecurityPolicy::registerURLSchemeAsCORSEnabled(privileged_scheme); if (allowServiceWorkers) {
blink::WebSecurityPolicy::registerURLSchemeAsAllowingServiceWorkers(
privileged_scheme);
}
if (supportFetchAPI) {
blink::WebSecurityPolicy::registerURLSchemeAsSupportingFetchAPI(
privileged_scheme);
}
if (corsEnabled) {
blink::WebSecurityPolicy::registerURLSchemeAsCORSEnabled(privileged_scheme);
}
} }
void WebFrame::InsertText(const std::string& text) { void WebFrame::InsertText(const std::string& text) {

5
atom/renderer/api/atom_api_web_frame.h
View file

@ -63,7 +63,10 @@ class WebFrame : public mate::Wrappable<WebFrame> {
void RegisterURLSchemeAsSecure(const std::string& scheme); void RegisterURLSchemeAsSecure(const std::string& scheme);
void RegisterURLSchemeAsBypassingCSP(const std::string& scheme); void RegisterURLSchemeAsBypassingCSP(const std::string& scheme);
void RegisterURLSchemeAsPrivileged(const std::string& scheme); void RegisterURLSchemeAsPrivileged(
const std::string& scheme,
mate::Arguments* args
);
// Editing. // Editing.
void InsertText(const std::string& text); void InsertText(const std::string& text);

16
docs/api/web-frame.md
View file

@ -83,13 +83,27 @@ attackers.
Resources will be loaded from this `scheme` regardless of the current page's Resources will be loaded from this `scheme` regardless of the current page's
Content Security Policy. Content Security Policy.
### `webFrame.registerURLSchemeAsPrivileged(scheme)` ### `webFrame.registerURLSchemeAsPrivileged(scheme[, options])`
* `scheme` String * `scheme` String
* `options` Object (optional)
* `secure` Default true.
* `bypassCSP` Default true.
* `allowServiceWorkers` Default true.
* `supportFetchAPI` Default true.
* `corsEnabled` Default true.
Registers the `scheme` as secure, bypasses content security policy for resources, Registers the `scheme` as secure, bypasses content security policy for resources,
allows registering ServiceWorker and supports fetch API. allows registering ServiceWorker and supports fetch API.
Specify an option with the value of `false` to omit it from the registration.
An example of registering a privileged scheme, without bypassing Content Security Policy:
```javascript
const {webFrame} = require('electron')
webFrame.registerURLSchemeAsPrivileged('foo', { bypassCSP: false })
```
### `webFrame.insertText(text)` ### `webFrame.insertText(text)`
* `text` String * `text` String

97
spec/api-web-frame-spec.js
View file

@ -7,7 +7,7 @@ const {BrowserWindow, protocol, ipcMain} = remote
describe('webFrame module', function () { describe('webFrame module', function () {
var fixtures = path.resolve(__dirname, 'fixtures') var fixtures = path.resolve(__dirname, 'fixtures')
describe('webFrame.registerURLSchemeAsPrivileged', function () { describe('webFrame.registerURLSchemeAsPrivileged', function () {
it('supports fetch api', function (done) { it('supports fetch api by default', function (done) {
webFrame.registerURLSchemeAsPrivileged('file') webFrame.registerURLSchemeAsPrivileged('file')
var url = 'file://' + fixtures + '/assets/logo.png' var url = 'file://' + fixtures + '/assets/logo.png'
window.fetch(url).then(function (response) { window.fetch(url).then(function (response) {
@ -18,21 +18,86 @@ describe('webFrame module', function () {
}) })
}) })
it('allows CORS requests', function (done) { it('allows CORS requests by default', function (done) {
const standardScheme = remote.getGlobal('standardScheme') allowsCORSRequests(200, `<html>
<script>
const {ipcRenderer, webFrame} = require('electron')
webFrame.registerURLSchemeAsPrivileged('cors1')
fetch('cors1://myhost').then(function (response) {
ipcRenderer.send('response', response.status)
}).catch(function (response) {
ipcRenderer.send('response', 'failed')
})
</script>
</html>`, done)
})
it('allows CORS and fetch requests when specified', function (done) {
allowsCORSRequests(200, `<html>
<script>
const {ipcRenderer, webFrame} = require('electron')
webFrame.registerURLSchemeAsPrivileged('cors2', { supportFetchAPI: true, corsEnabled: true })
fetch('cors2://myhost').then(function (response) {
ipcRenderer.send('response', response.status)
}).catch(function (response) {
ipcRenderer.send('response', 'failed')
})
</script>
</html>`, done)
})
it('allows CORS and fetch requests when half-specified', function (done) {
allowsCORSRequests(200, `<html>
<script>
const {ipcRenderer, webFrame} = require('electron')
webFrame.registerURLSchemeAsPrivileged('cors3', { supportFetchAPI: true })
fetch('cors3://myhost').then(function (response) {
ipcRenderer.send('response', response.status)
}).catch(function (response) {
ipcRenderer.send('response', 'failed')
})
</script>
</html>`, done)
})
it('disallows CORS, but allows fetch requests, when specified', function (done) {
allowsCORSRequests('failed', `<html>
<script>
const {ipcRenderer, webFrame} = require('electron')
webFrame.registerURLSchemeAsPrivileged('cors4', { supportFetchAPI: true, corsEnabled: false })
fetch('cors4://myhost').then(function (response) {
ipcRenderer.send('response', response.status)
}).catch(function (response) {
ipcRenderer.send('response', 'failed')
})
</script>
</html>`, done)
})
it('allows CORS, but disallows fetch requests, when specified', function (done) {
allowsCORSRequests('failed', `<html>
<script>
const {ipcRenderer, webFrame} = require('electron')
webFrame.registerURLSchemeAsPrivileged('cors5', { supportFetchAPI: false, corsEnabled: true })
fetch('cors5://myhost').then(function (response) {
ipcRenderer.send('response', response.status)
}).catch(function (response) {
ipcRenderer.send('response', 'failed')
})
</script>
</html>`, done)
})
var runNumber = 1
function allowsCORSRequests (expected, content, done) {
const standardScheme = remote.getGlobal('standardScheme') + runNumber
const corsScheme = 'cors' + runNumber
runNumber++
const url = standardScheme + '://fake-host' const url = standardScheme + '://fake-host'
const content = `<html>
<script>
const {ipcRenderer, webFrame} = require('electron')
webFrame.registerURLSchemeAsPrivileged('cors')
fetch('cors://myhost').then(function (response) {
ipcRenderer.send('response', response.status)
})
</script>
</html>`
var w = new BrowserWindow({show: false}) var w = new BrowserWindow({show: false})
after(function (done) { after(function (done) {
protocol.unregisterProtocol('cors', function () { protocol.unregisterProtocol(corsScheme, function () {
protocol.unregisterProtocol(standardScheme, function () { protocol.unregisterProtocol(standardScheme, function () {
closeWindow(w).then(function () { closeWindow(w).then(function () {
w = null w = null
@ -49,16 +114,16 @@ describe('webFrame module', function () {
if (error) return done(error) if (error) return done(error)
}) })
protocol.registerStringProtocol('cors', function (request, callback) { protocol.registerStringProtocol(corsScheme, function (request, callback) {
callback('') callback('')
}, function (error) { }, function (error) {
if (error) return done(error) if (error) return done(error)
ipcMain.once('response', function (event, status) { ipcMain.once('response', function (event, status) {
assert.equal(status, 200) assert.equal(status, expected)
done() done()
}) })
w.loadURL(url) w.loadURL(url)
}) })
}) }
}) })
}) })