chore: disable the remote module in devtools / chrome extension background scripts (#16866)

* cache isRemoteModuleEnabled

* chore: disable the remote module in devtools / chrome extension background scripts
This commit is contained in:
Milan Burda 2019-02-11 21:42:37 +01:00 committed by John Kleinschmidt
parent a3cdf46fb6
commit d8ba1278d1
6 changed files with 20 additions and 17 deletions

View file

@ -1960,6 +1960,9 @@ v8::Local<v8::Value> WebContents::GetLastWebPreferences(
}
bool WebContents::IsRemoteModuleEnabled() const {
if (web_contents()->GetVisibleURL().SchemeIs("chrome-devtools")) {
return false;
}
if (auto* web_preferences = WebContentsPreferences::From(web_contents())) {
return web_preferences->IsRemoteModuleEnabled();
}

View file

@ -505,6 +505,7 @@ void AtomBrowserClient::AppendExtraCommandLineSwitches(
if (web_contents->GetVisibleURL().SchemeIs("chrome-devtools")) {
command_line->AppendSwitch(service_manager::switches::kNoSandbox);
command_line->AppendSwitch(::switches::kNoZygote);
command_line->AppendSwitch(switches::kDisableRemoteModule);
}
auto* web_preferences = WebContentsPreferences::From(web_contents);
if (web_preferences)

View file

@ -128,6 +128,7 @@ WebContentsPreferences::WebContentsPreferences(
SetDefaultBoolIfUndefined(options::kWebviewTag, false);
SetDefaultBoolIfUndefined(options::kSandbox, false);
SetDefaultBoolIfUndefined(options::kNativeWindowOpen, false);
SetDefaultBoolIfUndefined(options::kEnableRemoteModule, true);
SetDefaultBoolIfUndefined(options::kContextIsolation, false);
SetDefaultBoolIfUndefined("javascript", true);
SetDefaultBoolIfUndefined("images", true);

View file

@ -368,17 +368,6 @@ const addReturnValueToEvent = (event) => {
})
}
const safeProtocols = new Set([
'chrome-devtools:',
'chrome-extension:'
])
const isWebContentsTrusted = function (contents) {
const pageURL = contents._getURL()
const { protocol } = url.parse(pageURL)
return safeProtocols.has(protocol)
}
// Add JavaScript wrappers for WebContents class.
WebContents.prototype._init = function () {
// The navigation controller.
@ -436,9 +425,7 @@ WebContents.prototype._init = function () {
for (const eventName of forwardedEvents) {
this.on(eventName, (event, ...args) => {
if (!isWebContentsTrusted(event.sender)) {
app.emit(eventName, event, this, ...args)
}
})
}

View file

@ -91,7 +91,8 @@ const startBackgroundPages = function (manifest) {
const contents = webContents.create({
partition: 'persist:__chrome_extension',
isBackgroundPage: true,
commandLineSwitches: ['--background-page']
commandLineSwitches: ['--background-page'],
enableRemoteModule: false
})
backgroundPages[manifest.extensionId] = { html: html, webContents: contents, name: name }
contents.loadURL(url.format({

View file

@ -264,10 +264,20 @@ const callFunction = function (event, contextId, func, caller, args) {
}
}
const isRemoteModuleEnabledCache = new WeakMap()
const isRemoteModuleEnabled = function (contents) {
if (!isRemoteModuleEnabledCache.has(contents)) {
isRemoteModuleEnabledCache.set(contents, contents._isRemoteModuleEnabled())
}
return isRemoteModuleEnabledCache.get(contents)
}
const handleRemoteCommand = function (channel, handler) {
ipcMainInternal.on(channel, (event, contextId, ...args) => {
let returnValue
if (!event.sender._isRemoteModuleEnabled()) {
if (!isRemoteModuleEnabled(event.sender)) {
event.returnValue = null
return
}
@ -506,7 +516,7 @@ ipcMainInternal.on('ELECTRON_BROWSER_SANDBOX_LOAD', function (event) {
event.returnValue = {
preloadScripts: preloadPaths.map(path => getPreloadScript(path)),
isRemoteModuleEnabled: event.sender._isRemoteModuleEnabled(),
isRemoteModuleEnabled: isRemoteModuleEnabled(event.sender),
isWebViewTagEnabled: guestViewManager.isWebViewTagEnabled(event.sender),
process: {
arch: process.arch,