feat: enable world safe JS by default (#26889)
* feat: enable world safe JS by default * refactor: use the ctx bridge to send executeJavaScript results in a world safe way * docs: add more info about the breaking change * include default in IsEnabled check
This commit is contained in:
parent
78d4cb9f5c
commit
db08f08b88
6 changed files with 90 additions and 33 deletions
|
@ -12,6 +12,16 @@ This document uses the following convention to categorize breaking changes:
|
|||
* **Deprecated:** An API was marked as deprecated. The API will continue to function, but will emit a deprecation warning, and will be removed in a future release.
|
||||
* **Removed:** An API or feature was removed, and is no longer supported by Electron.
|
||||
|
||||
## Planned Breaking API Changes (14.0)
|
||||
|
||||
### Removed: `worldSafeExecuteJavaScript`
|
||||
|
||||
In Electron 14, `worldSafeExecuteJavaScript` will be removed. There is no alternative, please
|
||||
ensure your code works with this property enabled. It has been enabled by default since Electron
|
||||
12.
|
||||
|
||||
You will be affected by this change if you use either `webFrame.executeJavaScript` or `webFrame.executeJavaScriptInIsolatedWorld`. You will need to ensure that values returned by either of those methods are supported by the [Context Bridge API](api/context-bridge.md#parameter--error--return-type-support) as these methods use the same value passing semantics.
|
||||
|
||||
## Planned Breaking API Changes (13.0)
|
||||
|
||||
### API Changed: `session.setPermissionCheckHandler(handler)`
|
||||
|
@ -128,6 +138,15 @@ Chromium has removed support for Flash, and so we must follow suit. See
|
|||
Chromium's [Flash Roadmap](https://www.chromium.org/flash-roadmap) for more
|
||||
details.
|
||||
|
||||
### Default Changed: `worldSafeExecuteJavaScript` defaults to `true`
|
||||
|
||||
In Electron 12, `worldSafeExecuteJavaScript` will be enabled by default. To restore
|
||||
the previous behavior, `worldSafeExecuteJavaScript: false` must be specified in WebPreferences.
|
||||
Please note that setting this option to `false` is **insecure**.
|
||||
|
||||
This option will be removed in Electron 14 so please migrate your code to support the default
|
||||
value.
|
||||
|
||||
### Default Changed: `contextIsolation` defaults to `true`
|
||||
|
||||
In Electron 12, `contextIsolation` will be enabled by default. To restore
|
||||
|
|
Loading…
Add table
Add a link
Reference in a new issue