Rename option to webviewTag and default to nodeIntegration value

This commit is contained in:
Kevin Sawicki 2017-05-17 13:09:24 -07:00
parent 837ea884de
commit bde13353fb
6 changed files with 26 additions and 23 deletions

View file

@ -101,12 +101,12 @@ void WebContentsPreferences::AppendExtraCommandLineSwitches(
if (web_preferences.GetBoolean(options::kNodeIntegrationInWorker, &b) && b)
command_line->AppendSwitch(switches::kNodeIntegrationInWorker);
// Check if webview tag creation is overriden.
bool override_webview_security = false;
web_preferences.GetBoolean(options::kOverrideWebViewSecurity,
&override_webview_security);
command_line->AppendSwitchASCII(switches::kOverrideWebViewSecurity,
override_webview_security ? "true" : "false");
// Check if webview tag creation is enabled, default to nodeIntegration value.
// TODO(kevinsawicki): Default to false in 2.0
bool webview_tag = node_integration;
web_preferences.GetBoolean(options::kWebviewTag, &webview_tag);
command_line->AppendSwitchASCII(switches::kWebviewTag,
webview_tag ? "true" : "false");
// If the `sandbox` option was passed to the BrowserWindow's webPreferences,
// pass `--enable-sandbox` to the renderer so it won't have any node.js

View file

@ -128,8 +128,8 @@ const char kDisableBlinkFeatures[] = "disableBlinkFeatures";
// Enable the node integration in WebWorker.
const char kNodeIntegrationInWorker[] = "nodeIntegrationInWorker";
// Enable the web view tag irrespective of node-integration setting.
const char kOverrideWebViewSecurity[] = "overrideWebViewSecurity";
// Enable the web view tag.
const char kWebviewTag[] = "webviewTag";
} // namespace options
@ -176,7 +176,7 @@ const char kOpenerID[] = "opener-id";
const char kScrollBounce[] = "scroll-bounce";
const char kHiddenPage[] = "hidden-page";
const char kNativeWindowOpen[] = "native-window-open";
const char kOverrideWebViewSecurity[] = "override-webview-security";
const char kWebviewTag[] = "webview-tag";
// Command switch passed to renderer process to control nodeIntegration.
const char kNodeIntegrationInWorker[] = "node-integration-in-worker";

View file

@ -64,7 +64,7 @@ extern const char kScrollBounce[];
extern const char kBlinkFeatures[];
extern const char kDisableBlinkFeatures[];
extern const char kNodeIntegrationInWorker[];
extern const char kOverrideWebViewSecurity[];
extern const char kWebviewTag[];
} // namespace options
@ -95,7 +95,7 @@ extern const char kScrollBounce[];
extern const char kHiddenPage[];
extern const char kNativeWindowOpen[];
extern const char kNodeIntegrationInWorker[];
extern const char kOverrideWebViewSecurity[];
extern const char kWebviewTag[];
extern const char kWidevineCdmPath[];
extern const char kWidevineCdmVersion[];

View file

@ -1,4 +1,4 @@
# BrowserWindow
©# BrowserWindow
> Create and control browser windows.
@ -308,11 +308,14 @@ It creates a new `BrowserWindow` with native properties as set by the `options`.
Console tab. **Note:** This option is currently experimental and may
change or be removed in future Electron releases.
* `nativeWindowOpen` Boolean (optional) - Whether to use native `window.open()`. Defaults to `false`.
* `overrideWebViewSecurity` Boolean (optional) - Whether to enable [webview-tag](webview-tag.md)
ignoring the security restriction based on `nodeIntegration`. Enabling this option will
have security implication on creating `webview` with `nodeIntegration` disabled. To avoid the
security risk, listen to `will-attach-webview` event on [web-contents](web-contents.md) and
stop creating `webview` or removing preload scripts.
* `webviewTag` Boolean (optional) - Whether to enable the [`<webview>` tag](webview-tag.md).
Defaults to the value of the `nodeIntegration` option. **Note:** The
preload script to the `<webview>` will have node integration enabled
when it executed so you should ensure remote content is not able to create
a `<webview>` tag with a possibly malicious `preload` script. You can use
the `will-attach-webview` event on [web-contents](web-contents.md) to
strip away the `preload` script and to validate or alter the `<webview>`'s
initial settings.
When setting minimum or maximum window size with `minWidth`/`maxWidth`/
`minHeight`/`maxHeight`, it only constrains the users. It won't prevent you from

View file

@ -57,7 +57,7 @@ let nodeIntegration = 'false'
let preloadScript = null
let isBackgroundPage = false
let appPath = null
let overrideWebViewSecurity = false
let webviewTag = 'true'
for (let arg of process.argv) {
if (arg.indexOf('--guest-instance-id=') === 0) {
// This is a guest web view.
@ -73,8 +73,8 @@ for (let arg of process.argv) {
isBackgroundPage = true
} else if (arg.indexOf('--app-path=') === 0) {
appPath = arg.substr(arg.indexOf('=') + 1)
} else if (arg.indexOf('--override-webview-security=') === 0) {
overrideWebViewSecurity = arg.substr(arg.indexOf('=') + 1)
} else if (arg.indexOf('--webview-tag=') === 0) {
webviewTag = arg.substr(arg.indexOf('=') + 1)
}
}
@ -97,7 +97,7 @@ if (window.location.protocol === 'chrome-devtools:') {
require('./content-scripts-injector')
// Load webview tag implementation.
if ((nodeIntegration === 'true' || overrideWebViewSecurity === 'true') && process.guestInstanceId == null) {
if (webviewTag === 'true' && process.guestInstanceId == null) {
require('./web-view/web-view')
require('./web-view/web-view-attributes')
}

View file

@ -54,13 +54,13 @@ describe('<webview> tag', function () {
w.loadURL('file://' + fixtures + '/pages/webview-no-script.html')
})
it('is enabled when override is set', function (done) {
it('is enabled when the webviewTag option is enabled and the nodeIntegration option is disabled', function (done) {
w = new BrowserWindow({
show: false,
webPreferences: {
nodeIntegration: false,
preload: path.join(fixtures, 'module', 'preload-webview.js'),
overrideWebViewSecurity: true
webviewTag: true
}
})
ipcMain.once('webview', function (event, type) {