diff --git a/atom/browser/web_contents_preferences.cc b/atom/browser/web_contents_preferences.cc index 18bd9dc0a7b0..2bd0900311a8 100644 --- a/atom/browser/web_contents_preferences.cc +++ b/atom/browser/web_contents_preferences.cc @@ -101,12 +101,12 @@ void WebContentsPreferences::AppendExtraCommandLineSwitches( if (web_preferences.GetBoolean(options::kNodeIntegrationInWorker, &b) && b) command_line->AppendSwitch(switches::kNodeIntegrationInWorker); - // Check if webview tag creation is overriden. - bool override_webview_security = false; - web_preferences.GetBoolean(options::kOverrideWebViewSecurity, - &override_webview_security); - command_line->AppendSwitchASCII(switches::kOverrideWebViewSecurity, - override_webview_security ? "true" : "false"); + // Check if webview tag creation is enabled, default to nodeIntegration value. + // TODO(kevinsawicki): Default to false in 2.0 + bool webview_tag = node_integration; + web_preferences.GetBoolean(options::kWebviewTag, &webview_tag); + command_line->AppendSwitchASCII(switches::kWebviewTag, + webview_tag ? "true" : "false"); // If the `sandbox` option was passed to the BrowserWindow's webPreferences, // pass `--enable-sandbox` to the renderer so it won't have any node.js diff --git a/atom/common/options_switches.cc b/atom/common/options_switches.cc index 24e22873262c..ce63fc716a3a 100644 --- a/atom/common/options_switches.cc +++ b/atom/common/options_switches.cc @@ -128,8 +128,8 @@ const char kDisableBlinkFeatures[] = "disableBlinkFeatures"; // Enable the node integration in WebWorker. const char kNodeIntegrationInWorker[] = "nodeIntegrationInWorker"; -// Enable the web view tag irrespective of node-integration setting. -const char kOverrideWebViewSecurity[] = "overrideWebViewSecurity"; +// Enable the web view tag. +const char kWebviewTag[] = "webviewTag"; } // namespace options @@ -176,7 +176,7 @@ const char kOpenerID[] = "opener-id"; const char kScrollBounce[] = "scroll-bounce"; const char kHiddenPage[] = "hidden-page"; const char kNativeWindowOpen[] = "native-window-open"; -const char kOverrideWebViewSecurity[] = "override-webview-security"; +const char kWebviewTag[] = "webview-tag"; // Command switch passed to renderer process to control nodeIntegration. const char kNodeIntegrationInWorker[] = "node-integration-in-worker"; diff --git a/atom/common/options_switches.h b/atom/common/options_switches.h index c478426c15fb..6fda408ee5ce 100644 --- a/atom/common/options_switches.h +++ b/atom/common/options_switches.h @@ -64,7 +64,7 @@ extern const char kScrollBounce[]; extern const char kBlinkFeatures[]; extern const char kDisableBlinkFeatures[]; extern const char kNodeIntegrationInWorker[]; -extern const char kOverrideWebViewSecurity[]; +extern const char kWebviewTag[]; } // namespace options @@ -95,7 +95,7 @@ extern const char kScrollBounce[]; extern const char kHiddenPage[]; extern const char kNativeWindowOpen[]; extern const char kNodeIntegrationInWorker[]; -extern const char kOverrideWebViewSecurity[]; +extern const char kWebviewTag[]; extern const char kWidevineCdmPath[]; extern const char kWidevineCdmVersion[]; diff --git a/docs/api/browser-window.md b/docs/api/browser-window.md index 9fd67a778f9f..a739490955fc 100644 --- a/docs/api/browser-window.md +++ b/docs/api/browser-window.md @@ -1,4 +1,4 @@ -# BrowserWindow +©# BrowserWindow > Create and control browser windows. @@ -308,11 +308,14 @@ It creates a new `BrowserWindow` with native properties as set by the `options`. Console tab. **Note:** This option is currently experimental and may change or be removed in future Electron releases. * `nativeWindowOpen` Boolean (optional) - Whether to use native `window.open()`. Defaults to `false`. - * `overrideWebViewSecurity` Boolean (optional) - Whether to enable [webview-tag](webview-tag.md) - ignoring the security restriction based on `nodeIntegration`. Enabling this option will - have security implication on creating `webview` with `nodeIntegration` disabled. To avoid the - security risk, listen to `will-attach-webview` event on [web-contents](web-contents.md) and - stop creating `webview` or removing preload scripts. + * `webviewTag` Boolean (optional) - Whether to enable the [`` tag](webview-tag.md). + Defaults to the value of the `nodeIntegration` option. **Note:** The + preload script to the `` will have node integration enabled + when it executed so you should ensure remote content is not able to create + a `` tag with a possibly malicious `preload` script. You can use + the `will-attach-webview` event on [web-contents](web-contents.md) to + strip away the `preload` script and to validate or alter the ``'s + initial settings. When setting minimum or maximum window size with `minWidth`/`maxWidth`/ `minHeight`/`maxHeight`, it only constrains the users. It won't prevent you from diff --git a/lib/renderer/init.js b/lib/renderer/init.js index 4b9049563f8d..e3e054e6b02f 100644 --- a/lib/renderer/init.js +++ b/lib/renderer/init.js @@ -57,7 +57,7 @@ let nodeIntegration = 'false' let preloadScript = null let isBackgroundPage = false let appPath = null -let overrideWebViewSecurity = false +let webviewTag = 'true' for (let arg of process.argv) { if (arg.indexOf('--guest-instance-id=') === 0) { // This is a guest web view. @@ -73,8 +73,8 @@ for (let arg of process.argv) { isBackgroundPage = true } else if (arg.indexOf('--app-path=') === 0) { appPath = arg.substr(arg.indexOf('=') + 1) - } else if (arg.indexOf('--override-webview-security=') === 0) { - overrideWebViewSecurity = arg.substr(arg.indexOf('=') + 1) + } else if (arg.indexOf('--webview-tag=') === 0) { + webviewTag = arg.substr(arg.indexOf('=') + 1) } } @@ -97,7 +97,7 @@ if (window.location.protocol === 'chrome-devtools:') { require('./content-scripts-injector') // Load webview tag implementation. - if ((nodeIntegration === 'true' || overrideWebViewSecurity === 'true') && process.guestInstanceId == null) { + if (webviewTag === 'true' && process.guestInstanceId == null) { require('./web-view/web-view') require('./web-view/web-view-attributes') } diff --git a/spec/webview-spec.js b/spec/webview-spec.js index 997aee2ec1fb..d7f6f6528df8 100644 --- a/spec/webview-spec.js +++ b/spec/webview-spec.js @@ -54,13 +54,13 @@ describe(' tag', function () { w.loadURL('file://' + fixtures + '/pages/webview-no-script.html') }) - it('is enabled when override is set', function (done) { + it('is enabled when the webviewTag option is enabled and the nodeIntegration option is disabled', function (done) { w = new BrowserWindow({ show: false, webPreferences: { nodeIntegration: false, preload: path.join(fixtures, 'module', 'preload-webview.js'), - overrideWebViewSecurity: true + webviewTag: true } }) ipcMain.once('webview', function (event, type) {