fix: disable nodeIntegration & insecure resource warnings for localhost (#18814)
* fix: disable remote host nodeIntegration warning for localhost In warnAboutNodeWithRemoteContent(), add a check to see if the hostname is "localhost" and prevent the warning message if it is. * fix: disable loading insecure resources warning for localhost In warnAboutInsecureResources(), filter out resources from localhost since they are most likely not a threat. * test: add tests for ignoring security warnings when using localhost Add tests for ignoring warning messages for the following scenarios: 1. node integration with remote content from localhost 2. loading insecure resources from localhost * test: fix insecure resource test * test: pass nodeIntegration with remote test on did-finish-load * test: maybe fix node integration test (error w/ conv circular struct) * test: update test description * test: use "load" event to check when nodeIntegration test has finished Instead of relying on the "did-finish-load" event, which may result in a race condition, add an "onload" handler that logs "loaded" to the console. This will execute _after_ the nodeIntegration check, so it can be safely used as a signal to indicate that the test is done. * test: rename base-page-security-load-message.html * fix: ignore enabled remote module warning for localhost * refactor: add isLocalhost()
This commit is contained in:
Jerry Wu
Cheng Zhao
parent
4e2990d3aa
commit
dee331519c
3 changed files with 74 additions and 2 deletions
|
|
@ -58,6 +58,19 @@ const getIsRemoteProtocol = function () {
|
|||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Checks if the current window is from localhost.
|
||||
*
|
||||
* @returns {boolean} - Is current window from localhost?
|
||||
*/
|
||||
const isLocalhost = function () {
|
||||
if (!window || !window.location) {
|
||||
return false
|
||||
}
|
||||
|
||||
return window.location.hostname === 'localhost'
|
||||
}
|
||||
|
||||
/**
|
||||
* Tries to determine whether a CSP without `unsafe-eval` is set.
|
||||
*
|
||||
|
|
@ -92,6 +105,7 @@ const warnAboutInsecureResources = function () {
|
|||
const resources = window.performance
|
||||
.getEntriesByType('resource')
|
||||
.filter(({ name }) => /^(http|ftp):/gi.test(name || ''))
|
||||
.filter(({ name }) => new URL(name).hostname !== 'localhost')
|
||||
.map(({ name }) => `- ${name}`)
|
||||
.join('\n')
|
||||
|
||||
|
|
@ -115,7 +129,7 @@ const warnAboutInsecureResources = function () {
|
|||
* Logs a warning message about Node integration.
|
||||
*/
|
||||
const warnAboutNodeWithRemoteContent = function (nodeIntegration: boolean) {
|
||||
if (!nodeIntegration) return
|
||||
if (!nodeIntegration || isLocalhost()) return
|
||||
|
||||
if (getIsRemoteProtocol()) {
|
||||
const warning = `This renderer process has Node.js integration enabled
|
||||
|
|
@ -254,7 +268,7 @@ const warnAboutAllowedPopups = function () {
|
|||
// Logs a warning message about the remote module
|
||||
|
||||
const warnAboutRemoteModuleWithRemoteContent = function (webPreferences?: Electron.WebPreferences) {
|
||||
if (!webPreferences || !webPreferences.enableRemoteModule) return
|
||||
if (!webPreferences || !webPreferences.enableRemoteModule || isLocalhost()) return
|
||||
|
||||
if (getIsRemoteProtocol()) {
|
||||
const warning = `This renderer process has "enableRemoteModule" enabled
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue