fix: disable nodeIntegration & insecure resource warnings for localhost (#18814)

* fix: disable remote host nodeIntegration warning for localhost In warnAboutNodeWithRemoteContent(), add a check to see if the hostname is "localhost" and prevent the warning message if it is. * fix: disable loading insecure resources warning for localhost In warnAboutInsecureResources(), filter out resources from localhost since they are most likely not a threat. * test: add tests for ignoring security warnings when using localhost Add tests for ignoring warning messages for the following scenarios: 1. node integration with remote content from localhost 2. loading insecure resources from localhost * test: fix insecure resource test * test: pass nodeIntegration with remote test on did-finish-load * test: maybe fix node integration test (error w/ conv circular struct) * test: update test description * test: use "load" event to check when nodeIntegration test has finished Instead of relying on the "did-finish-load" event, which may result in a race condition, add an "onload" handler that logs "loaded" to the console. This will execute _after_ the nodeIntegration check, so it can be safely used as a signal to indicate that the test is done. * test: rename base-page-security-load-message.html * fix: ignore enabled remote module warning for localhost * refactor: add isLocalhost()
2019-07-02 03:36:50 -07:00 · 2019-07-02 03:36:50 -07:00 · dee331519c
commit dee331519c
parent 4e2990d3aa
3 changed files with 74 additions and 2 deletions
--- a/spec/security-warnings-spec.js
+++ b/spec/security-warnings-spec.js
@ -78,6 +78,24 @@ describe('security warnings', () => {
    w.loadURL(`http://127.0.0.1:8881/base-page-security.html`)
  })

+  it('should not warn about Node.js integration with remote content from localhost', (done) => {
+    w = new BrowserWindow({
+      show: false,
+      webPreferences: {
+        nodeIntegration: true
+      }
+    })
+    w.webContents.once('console-message', (e, level, message) => {
+      expect(message).to.not.include('Node.js Integration with Remote Content')
+
+      if (message === 'loaded') {
+        done()
+      }
+    })
+
+    w.loadURL(`http://localhost:8881/base-page-security-onload-message.html`)
+  })
+
  const generateSpecs = (description, webPreferences) => {
    describe(description, () => {
      it('should warn about disabled webSecurity', (done) => {
@ -189,6 +207,20 @@ describe('security warnings', () => {
        w.webContents.openDevTools()
      })

+      it('should not warn about loading insecure-resources.html from localhost', (done) => {
+        w = new BrowserWindow({
+          show: false,
+          webPreferences
+        })
+        w.webContents.once('console-message', (e, level, message) => {
+          expect(message).to.not.include('insecure-resources.html')
+          done()
+        })
+
+        w.loadURL(`http://localhost:8881/insecure-resources.html`)
+        w.webContents.openDevTools()
+      })
+
      it('should warn about enabled remote module with remote content', (done) => {
        w = new BrowserWindow({
          show: false,
@ -201,6 +233,22 @@ describe('security warnings', () => {

        w.loadURL(`http://127.0.0.1:8881/base-page-security.html`)
      })
+
+      it('should not warn about enabled remote module with remote content from localhost', (done) => {
+        w = new BrowserWindow({
+          show: false,
+          webPreferences
+        })
+        w.webContents.once('console-message', (e, level, message) => {
+          expect(message).to.not.include('enableRemoteModule')
+
+          if (message === 'loaded') {
+            done()
+          }
+        })
+
+        w.loadURL(`http://localhost:8881/base-page-security-onload-message.html`)
+      })
    })
  }