Rename option to webviewTag and default to nodeIntegration value

atom/browser/web_contents_preferences.cc

@@ -101,12 +101,12 @@ void WebContentsPreferences::AppendExtraCommandLineSwitches(
   if (web_preferences.GetBoolean(options::kNodeIntegrationInWorker, &b) && b)
     command_line->AppendSwitch(switches::kNodeIntegrationInWorker);
 
-  // Check if webview tag creation is overriden.
-  bool override_webview_security = false;
-  web_preferences.GetBoolean(options::kOverrideWebViewSecurity,
-                             &override_webview_security);
-  command_line->AppendSwitchASCII(switches::kOverrideWebViewSecurity,
-                                  override_webview_security ? "true" : "false");
+  // Check if webview tag creation is enabled, default to nodeIntegration value.
+  // TODO(kevinsawicki): Default to false in 2.0
+  bool webview_tag = node_integration;
+  web_preferences.GetBoolean(options::kWebviewTag, &webview_tag);
+  command_line->AppendSwitchASCII(switches::kWebviewTag,
+                                  webview_tag ? "true" : "false");
 
   // If the `sandbox` option was passed to the BrowserWindow's webPreferences,
   // pass `--enable-sandbox` to the renderer so it won't have any node.js

atom/common/options_switches.cc

@@ -128,8 +128,8 @@ const char kDisableBlinkFeatures[] = "disableBlinkFeatures";
 // Enable the node integration in WebWorker.
 const char kNodeIntegrationInWorker[] = "nodeIntegrationInWorker";
 
-// Enable the web view tag irrespective of node-integration setting.
-const char kOverrideWebViewSecurity[] = "overrideWebViewSecurity";
+// Enable the web view tag.
+const char kWebviewTag[] = "webviewTag";
 
 }  // namespace options
 
@@ -176,7 +176,7 @@ const char kOpenerID[]         = "opener-id";
 const char kScrollBounce[]     = "scroll-bounce";
 const char kHiddenPage[]       = "hidden-page";
 const char kNativeWindowOpen[] = "native-window-open";
-const char kOverrideWebViewSecurity[]  = "override-webview-security";
+const char kWebviewTag[]       = "webview-tag";
 
 // Command switch passed to renderer process to control nodeIntegration.
 const char kNodeIntegrationInWorker[]  = "node-integration-in-worker";

atom/common/options_switches.h

@@ -64,7 +64,7 @@ extern const char kScrollBounce[];
 extern const char kBlinkFeatures[];
 extern const char kDisableBlinkFeatures[];
 extern const char kNodeIntegrationInWorker[];
-extern const char kOverrideWebViewSecurity[];
+extern const char kWebviewTag[];
 
 }   // namespace options
 
@@ -95,7 +95,7 @@ extern const char kScrollBounce[];
 extern const char kHiddenPage[];
 extern const char kNativeWindowOpen[];
 extern const char kNodeIntegrationInWorker[];
-extern const char kOverrideWebViewSecurity[];
+extern const char kWebviewTag[];
 
 extern const char kWidevineCdmPath[];
 extern const char kWidevineCdmVersion[];

docs/api/browser-window.md

@@ -1,4 +1,4 @@
-# BrowserWindow
+©# BrowserWindow
 
 > Create and control browser windows.
 
@@ -308,11 +308,14 @@ It creates a new `BrowserWindow` with native properties as set by the `options`.
       Console tab. **Note:** This option is currently experimental and may
       change or be removed in future Electron releases.
     * `nativeWindowOpen` Boolean (optional) - Whether to use native `window.open()`. Defaults to `false`.
-    * `overrideWebViewSecurity` Boolean (optional) - Whether to enable [webview-tag](webview-tag.md)
-      ignoring the security restriction based on `nodeIntegration`. Enabling this option will
-      have security implication on creating `webview` with `nodeIntegration` disabled. To avoid the
-      security risk, listen to `will-attach-webview` event on [web-contents](web-contents.md) and
-      stop creating `webview` or removing preload scripts.
+    * `webviewTag` Boolean (optional) - Whether to enable the [`<webview>` tag](webview-tag.md).
+      Defaults to the value of the `nodeIntegration` option. **Note:** The
+      preload script to the `<webview>` will have node integration enabled
+      when it executed so you should ensure remote content is not able to create
+      a `<webview>` tag with a possibly malicious `preload` script. You can use
+      the `will-attach-webview` event on [web-contents](web-contents.md) to
+      strip away the `preload` script and to validate or alter the `<webview>`'s
+      initial settings.
 
 When setting minimum or maximum window size with `minWidth`/`maxWidth`/
 `minHeight`/`maxHeight`, it only constrains the users. It won't prevent you from

lib/renderer/init.js

@@ -57,7 +57,7 @@ let nodeIntegration = 'false'
 let preloadScript = null
 let isBackgroundPage = false
 let appPath = null
-let overrideWebViewSecurity = false
+let webviewTag = 'true'
 for (let arg of process.argv) {
   if (arg.indexOf('--guest-instance-id=') === 0) {
     // This is a guest web view.
@@ -73,8 +73,8 @@ for (let arg of process.argv) {
     isBackgroundPage = true
   } else if (arg.indexOf('--app-path=') === 0) {
     appPath = arg.substr(arg.indexOf('=') + 1)
-  } else if (arg.indexOf('--override-webview-security=') === 0) {
-    overrideWebViewSecurity = arg.substr(arg.indexOf('=') + 1)
+  } else if (arg.indexOf('--webview-tag=') === 0) {
+    webviewTag = arg.substr(arg.indexOf('=') + 1)
   }
 }
 
@@ -97,7 +97,7 @@ if (window.location.protocol === 'chrome-devtools:') {
   require('./content-scripts-injector')
 
   // Load webview tag implementation.
-  if ((nodeIntegration === 'true' || overrideWebViewSecurity === 'true') && process.guestInstanceId == null) {
+  if (webviewTag === 'true' && process.guestInstanceId == null) {
     require('./web-view/web-view')
     require('./web-view/web-view-attributes')
   }

spec/webview-spec.js

@@ -54,13 +54,13 @@ describe('<webview> tag', function () {
     w.loadURL('file://' + fixtures + '/pages/webview-no-script.html')
   })
 
-  it('is enabled when override is set', function (done) {
+  it('is enabled when the webviewTag option is enabled and the nodeIntegration option is disabled', function (done) {
     w = new BrowserWindow({
       show: false,
       webPreferences: {
         nodeIntegration: false,
         preload: path.join(fixtures, 'module', 'preload-webview.js'),
-        overrideWebViewSecurity: true
+        webviewTag: true
       }
     })
     ipcMain.once('webview', function (event, type) {