feat: disable the remote module by default (#22091)

This commit is contained in:
Jeremy Apthorp 2020-02-10 10:49:09 -08:00 committed by GitHub
parent af631f8204
commit b77f701aeb
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
8 changed files with 62 additions and 24 deletions

View file

@ -6,6 +6,26 @@ Breaking changes will be documented here, and deprecation warnings added to JS c
The `FIXME` string is used in code comments to denote things that should be fixed for future releases. See https://github.com/electron/electron/search?q=fixme
## Planned Breaking API Changes (10.0)
### `enableRemoteModule` defaults to `false`
In Electron 9, using the remote module without explicitly enabling it via the
`enableRemoteModule` WebPreferences option began emitting a warning. In
Electron 10, the remote module is now disabled by default. To use the remote
module, `enableRemoteModule: true` must be specified in WebPreferences:
```js
const w = new BrowserWindow({
webPreferences: {
enableRemoteModule: true
}
})
```
We [recommend moving away from the remote
module](https://medium.com/@nornagon/electrons-remote-module-considered-harmful-70d69500f31).
## Planned Breaking API Changes (9.0)
### `<webview>.getWebContents()`

View file

@ -321,7 +321,7 @@ const unwrapArgs = function (sender: electron.WebContents, frameId: number, cont
const isRemoteModuleEnabledImpl = function (contents: electron.WebContents) {
const webPreferences = (contents as any).getLastWebPreferences() || {}
return webPreferences.enableRemoteModule != null ? !!webPreferences.enableRemoteModule : true
return webPreferences.enableRemoteModule != null ? !!webPreferences.enableRemoteModule : false
}
const isRemoteModuleEnabledCache = new WeakMap()

View file

@ -13,14 +13,6 @@ const remoteObjectCache = v8Util.createIDWeakMap()
// An unique ID that can represent current context.
const contextId = v8Util.getHiddenValue(global, 'contextId')
ipcRendererInternal.invoke('ELECTRON_BROWSER_GET_LAST_WEB_PREFERENCES').then(preferences => {
if (!preferences.enableRemoteModule) {
console.warn('%cElectron Deprecation Warning', 'font-weight: bold', "The 'remote' module is deprecated and will be disabled by default in a future version of Electron. To ensure a smooth upgrade and silence this warning, specify {enableRemoteModule: true} in the WebPreferences for this window.")
}
}, (err) => {
console.error('Failed to get web preferences:', err)
})
// Notify the main process when current context is going to be released.
// Note that when the renderer process is destroyed, the message may not be
// sent, we also listen to the "render-view-deleted" event in the main process

View file

@ -327,7 +327,7 @@ void WebContentsPreferences::AppendCommandLineSwitches(
#if BUILDFLAG(ENABLE_REMOTE_MODULE)
// Whether to enable the remote module
if (IsEnabled(options::kEnableRemoteModule, true))
if (IsEnabled(options::kEnableRemoteModule, false))
command_line->AppendSwitch(switches::kEnableRemoteModule);
#endif

View file

@ -457,7 +457,8 @@ describe('app module', () => {
w = new BrowserWindow({
show: false,
webPreferences: {
nodeIntegration: true
nodeIntegration: true,
enableRemoteModule: true
}
})
await w.loadURL('about:blank')
@ -474,7 +475,8 @@ describe('app module', () => {
w = new BrowserWindow({
show: false,
webPreferences: {
nodeIntegration: true
nodeIntegration: true,
enableRemoteModule: true
}
})
await w.loadURL('about:blank')
@ -491,7 +493,8 @@ describe('app module', () => {
w = new BrowserWindow({
show: false,
webPreferences: {
nodeIntegration: true
nodeIntegration: true,
enableRemoteModule: true
}
})
await w.loadURL('about:blank')
@ -508,7 +511,8 @@ describe('app module', () => {
w = new BrowserWindow({
show: false,
webPreferences: {
nodeIntegration: true
nodeIntegration: true,
enableRemoteModule: true
}
})
await w.loadURL('about:blank')
@ -524,7 +528,8 @@ describe('app module', () => {
w = new BrowserWindow({
show: false,
webPreferences: {
nodeIntegration: true
nodeIntegration: true,
enableRemoteModule: true
}
})
await w.loadURL('about:blank')

View file

@ -1628,6 +1628,7 @@ describe('BrowserWindow module', () => {
show: false,
webPreferences: {
nodeIntegration: true,
enableRemoteModule: true,
preload
}
})
@ -1749,7 +1750,7 @@ describe('BrowserWindow module', () => {
describe(description, () => {
const preload = path.join(__dirname, 'fixtures', 'module', 'preload-remote.js')
it('enables the remote module by default', async () => {
it('disables the remote module by default', async () => {
const w = new BrowserWindow({
show: false,
webPreferences: {
@ -1760,7 +1761,7 @@ describe('BrowserWindow module', () => {
const p = emittedOnce(ipcMain, 'remote')
w.loadFile(path.join(fixtures, 'api', 'blank.html'))
const [, remote] = await p
expect(remote).to.equal('object')
expect(remote).to.equal('undefined')
})
it('disables the remote module when false', async () => {
@ -1777,6 +1778,21 @@ describe('BrowserWindow module', () => {
const [, remote] = await p
expect(remote).to.equal('undefined')
})
it('enables the remote module when true', async () => {
const w = new BrowserWindow({
show: false,
webPreferences: {
preload,
sandbox,
enableRemoteModule: true
}
})
const p = emittedOnce(ipcMain, 'remote')
w.loadFile(path.join(fixtures, 'api', 'blank.html'))
const [, remote] = await p
expect(remote).to.equal('object')
})
})
}
@ -2093,7 +2109,8 @@ describe('BrowserWindow module', () => {
show: false,
webPreferences: {
preload,
sandbox: true
sandbox: true,
enableRemoteModule: true
}
})
w.loadFile(path.join(__dirname, 'fixtures', 'api', 'sandbox.html'), { search: 'reload-remote' })
@ -2125,7 +2142,8 @@ describe('BrowserWindow module', () => {
show: false,
webPreferences: {
preload,
sandbox: true
sandbox: true,
enableRemoteModule: true
}
})
w.webContents.once('new-window', (event, url, frameName, disposition, options) => {

View file

@ -194,7 +194,8 @@ ifdescribe(features.isRemoteModuleEnabled())('remote module', () => {
const w = new BrowserWindow({
show: false,
webPreferences: {
preload
preload,
enableRemoteModule: true
}
})
w.loadURL('about:blank')
@ -207,7 +208,8 @@ ifdescribe(features.isRemoteModuleEnabled())('remote module', () => {
const w = new BrowserWindow({
show: false,
webPreferences: {
nodeIntegration: true
nodeIntegration: true,
enableRemoteModule: true
}
})
@ -227,7 +229,8 @@ ifdescribe(features.isRemoteModuleEnabled())('remote module', () => {
const w = new BrowserWindow({
show: false,
webPreferences: {
nodeIntegration: true
nodeIntegration: true,
enableRemoteModule: true
}
})
await w.loadFile(path.join(fixtures, 'api', 'remote-event-handler.html'))

View file

@ -821,7 +821,7 @@ describe('webContents module', () => {
})
it('can persist zoom level across navigation', (done) => {
const w = new BrowserWindow({ show: false, webPreferences: { nodeIntegration: true } })
const w = new BrowserWindow({ show: false, webPreferences: { nodeIntegration: true, enableRemoteModule: true } })
let finalNavigation = false
ipcMain.on('set-zoom', (e, host) => {
const zoomLevel = hostZoomMap[host]
@ -847,7 +847,7 @@ describe('webContents module', () => {
})
it('can propagate zoom level across same session', (done) => {
const w = new BrowserWindow({ show: false, webPreferences: { nodeIntegration: true } })
const w = new BrowserWindow({ show: false, webPreferences: { nodeIntegration: true, enableRemoteModule: true } })
const w2 = new BrowserWindow({ show: false })
w2.webContents.on('did-finish-load', () => {
const zoomLevel1 = w.webContents.zoomLevel