mirrors/electron
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages 1 Wiki Activity Actions

docs: Move security info from browser-window to web-security.

Browse source
This commit is contained in:
Cheng Zhao 2014-08-11 15:37:44 +08:00
parent 253789353f
commit cad9580796
2 changed files with 44 additions and 31 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

34
docs/api/browser-window.md
View file

@ -54,8 +54,9 @@ normal browsers, see [Web Security](web-security.md) for more.
* `show` Boolean - Whether window should be shown when created
* `frame` Boolean - Specify `false` to create a
[Frameless Window](frameless-window.md)
* `node-integration` String - Can be `all`, `except-iframe`,
`manual-enable-iframe` or `disable`.
* `node-integration` String - Default value is `except-iframe`, can also be
`all`, `manual-enable-iframe` or `disable`, see
[Web Security](web-security.md) for more informations.
* `accept-first-mouse` Boolean - Whether the web view accepts a single
mouse-down event that simultaneously activates the window
* `auto-hide-menu-bar` Boolean - Auto hide the menu bar unless the `Alt`
@ -80,35 +81,6 @@ Creates a new `BrowserWindow` with native properties set by the `options`.
Usually you only need to set the `width` and `height`, other properties will
have decent default values.
By default the `node-integration` option is `except-iframe`, which means node
integration is disabled in all iframes, . You can also set it to `all`, with
which node integration is available to the main page and all its iframes, or
`manual-enable-iframe`, which is like `except-iframe`, but would enable iframes
whose name is suffixed by `-enable-node-integration`. And setting to `disable`
would disable the node integration in both the main page and its iframes.
An example of enable node integration in iframe with `node-integration` set to
`manual-enable-iframe`:
```html
<!-- iframe with node integration enabled -->
<iframe name="gh-enable-node-integration" src="https://github.com"></iframe>
<!-- iframe with node integration disabled -->
<iframe src="http://jandan.net"></iframe>
```
And in atom-shell, the security limitation of iframe is stricter than normal
browser, by default iframe is sandboxed with all permissions except the
`allow-same-origin`, which means iframe could not access parent's js context.
If you want to enable things like `parent.window.process.exit()` in iframe,
you should explicitly set `sandbox` to `none`:
```html
<iframe sandbox="none" src="https://github.com"></iframe>
```
### Event: 'page-title-updated'
* `event` Event

41
docs/api/web-security.md
View file

@ -18,4 +18,45 @@ the `iframe`'s name to disable this:
<iframe name="google-disable-x-frame-options" src="https://google.com"></iframe>
```
## Frames are sandboxed by default
In normal browsers, `iframe`s are not sandboxed by default, which means a remote
page in `iframe` can easily access its parent's JavaScript context.
In atom-shell because the parent frame may have the power to access native
resources, this could cause security problems. In order to fix it, `iframe`s
in atom-shell are sandboxed with all permissions except the `allow-same-origin`
by default.
If you want to enable things like `parent.window.process.exit()` in `iframe`s,
you need to explicitly add `allow-same-origin` to the `sandbox` attribute, or
just set `sandbox` to `none`:
```html
<iframe sandbox="none" src="https://github.com"></iframe>
```
## Node integration in frames
The `node-integration` option of [BrowserWindow](browser-window.md) controls
whether node integration is enabled in web page and its `iframe`s.
By default the `node-integration` option is `except-iframe`, which means node
integration is disabled in all `iframe`s. You can also set it to `all`, with
which node integration is available to the main page and all its `iframe`s, or
`manual-enable-iframe`, which is like `except-iframe`, but enables `iframe`s
whose name contains string `enable-node-integration`. And setting to `disable`
would disable the node integration in both the main page and its `iframe`s.
An example of enable node integration in `iframe` with `node-integration` set to
`manual-enable-iframe`:
```html
<!-- iframe with node integration enabled -->
<iframe name="gh-enable-node-integration" src="https://github.com"></iframe>
<!-- iframe with node integration disabled -->
<iframe src="http://jandan.net"></iframe>
```
[x-frame-options](https://developer.mozilla.org/en-US/docs/Web/HTTP/X-Frame-Options)