chore: disable the remote module in devtools / chrome extension background scripts (#16866)

* cache isRemoteModuleEnabled

* chore: disable the remote module in devtools / chrome extension background scripts
This commit is contained in:
Milan Burda 2019-02-11 21:42:37 +01:00 committed by John Kleinschmidt
parent a3cdf46fb6
commit d8ba1278d1
6 changed files with 20 additions and 17 deletions

View file

@ -1960,6 +1960,9 @@ v8::Local<v8::Value> WebContents::GetLastWebPreferences(
} }
bool WebContents::IsRemoteModuleEnabled() const { bool WebContents::IsRemoteModuleEnabled() const {
if (web_contents()->GetVisibleURL().SchemeIs("chrome-devtools")) {
return false;
}
if (auto* web_preferences = WebContentsPreferences::From(web_contents())) { if (auto* web_preferences = WebContentsPreferences::From(web_contents())) {
return web_preferences->IsRemoteModuleEnabled(); return web_preferences->IsRemoteModuleEnabled();
} }

View file

@ -505,6 +505,7 @@ void AtomBrowserClient::AppendExtraCommandLineSwitches(
if (web_contents->GetVisibleURL().SchemeIs("chrome-devtools")) { if (web_contents->GetVisibleURL().SchemeIs("chrome-devtools")) {
command_line->AppendSwitch(service_manager::switches::kNoSandbox); command_line->AppendSwitch(service_manager::switches::kNoSandbox);
command_line->AppendSwitch(::switches::kNoZygote); command_line->AppendSwitch(::switches::kNoZygote);
command_line->AppendSwitch(switches::kDisableRemoteModule);
} }
auto* web_preferences = WebContentsPreferences::From(web_contents); auto* web_preferences = WebContentsPreferences::From(web_contents);
if (web_preferences) if (web_preferences)

View file

@ -128,6 +128,7 @@ WebContentsPreferences::WebContentsPreferences(
SetDefaultBoolIfUndefined(options::kWebviewTag, false); SetDefaultBoolIfUndefined(options::kWebviewTag, false);
SetDefaultBoolIfUndefined(options::kSandbox, false); SetDefaultBoolIfUndefined(options::kSandbox, false);
SetDefaultBoolIfUndefined(options::kNativeWindowOpen, false); SetDefaultBoolIfUndefined(options::kNativeWindowOpen, false);
SetDefaultBoolIfUndefined(options::kEnableRemoteModule, true);
SetDefaultBoolIfUndefined(options::kContextIsolation, false); SetDefaultBoolIfUndefined(options::kContextIsolation, false);
SetDefaultBoolIfUndefined("javascript", true); SetDefaultBoolIfUndefined("javascript", true);
SetDefaultBoolIfUndefined("images", true); SetDefaultBoolIfUndefined("images", true);

View file

@ -368,17 +368,6 @@ const addReturnValueToEvent = (event) => {
}) })
} }
const safeProtocols = new Set([
'chrome-devtools:',
'chrome-extension:'
])
const isWebContentsTrusted = function (contents) {
const pageURL = contents._getURL()
const { protocol } = url.parse(pageURL)
return safeProtocols.has(protocol)
}
// Add JavaScript wrappers for WebContents class. // Add JavaScript wrappers for WebContents class.
WebContents.prototype._init = function () { WebContents.prototype._init = function () {
// The navigation controller. // The navigation controller.
@ -436,9 +425,7 @@ WebContents.prototype._init = function () {
for (const eventName of forwardedEvents) { for (const eventName of forwardedEvents) {
this.on(eventName, (event, ...args) => { this.on(eventName, (event, ...args) => {
if (!isWebContentsTrusted(event.sender)) { app.emit(eventName, event, this, ...args)
app.emit(eventName, event, this, ...args)
}
}) })
} }

View file

@ -91,7 +91,8 @@ const startBackgroundPages = function (manifest) {
const contents = webContents.create({ const contents = webContents.create({
partition: 'persist:__chrome_extension', partition: 'persist:__chrome_extension',
isBackgroundPage: true, isBackgroundPage: true,
commandLineSwitches: ['--background-page'] commandLineSwitches: ['--background-page'],
enableRemoteModule: false
}) })
backgroundPages[manifest.extensionId] = { html: html, webContents: contents, name: name } backgroundPages[manifest.extensionId] = { html: html, webContents: contents, name: name }
contents.loadURL(url.format({ contents.loadURL(url.format({

View file

@ -264,10 +264,20 @@ const callFunction = function (event, contextId, func, caller, args) {
} }
} }
const isRemoteModuleEnabledCache = new WeakMap()
const isRemoteModuleEnabled = function (contents) {
if (!isRemoteModuleEnabledCache.has(contents)) {
isRemoteModuleEnabledCache.set(contents, contents._isRemoteModuleEnabled())
}
return isRemoteModuleEnabledCache.get(contents)
}
const handleRemoteCommand = function (channel, handler) { const handleRemoteCommand = function (channel, handler) {
ipcMainInternal.on(channel, (event, contextId, ...args) => { ipcMainInternal.on(channel, (event, contextId, ...args) => {
let returnValue let returnValue
if (!event.sender._isRemoteModuleEnabled()) { if (!isRemoteModuleEnabled(event.sender)) {
event.returnValue = null event.returnValue = null
return return
} }
@ -506,7 +516,7 @@ ipcMainInternal.on('ELECTRON_BROWSER_SANDBOX_LOAD', function (event) {
event.returnValue = { event.returnValue = {
preloadScripts: preloadPaths.map(path => getPreloadScript(path)), preloadScripts: preloadPaths.map(path => getPreloadScript(path)),
isRemoteModuleEnabled: event.sender._isRemoteModuleEnabled(), isRemoteModuleEnabled: isRemoteModuleEnabled(event.sender),
isWebViewTagEnabled: guestViewManager.isWebViewTagEnabled(event.sender), isWebViewTagEnabled: guestViewManager.isWebViewTagEnabled(event.sender),
process: { process: {
arch: process.arch, arch: process.arch,