fix: disable nodeIntegration & insecure resource warnings for localhost (#18814)

* fix: disable remote host nodeIntegration warning for localhost

In warnAboutNodeWithRemoteContent(), add a check to see if the hostname
is "localhost" and prevent the warning message if it is.

* fix: disable loading insecure resources warning for localhost

In warnAboutInsecureResources(), filter out resources from localhost
since they are most likely not a threat.

* test: add tests for ignoring security warnings when using localhost

Add tests for ignoring warning messages for the following scenarios:
  1. node integration with remote content from localhost
  2. loading insecure resources from localhost

* test: fix insecure resource test

* test: pass nodeIntegration with remote test on did-finish-load

* test: maybe fix node integration test (error w/ conv circular struct)

* test: update test description

* test: use "load" event to check when nodeIntegration test has finished

Instead of relying on the "did-finish-load" event, which may result in
a race condition, add an "onload" handler that logs "loaded" to the
console. This will execute _after_ the nodeIntegration check, so it
can be safely used as a signal to indicate that the test is done.

* test: rename base-page-security-load-message.html

* fix: ignore enabled remote module warning for localhost

* refactor: add isLocalhost()

lib/renderer/security-warnings.ts

@@ -58,6 +58,19 @@ const getIsRemoteProtocol = function () {
   }
 }
 
+/**
+ * Checks if the current window is from localhost.
+ *
+ * @returns {boolean} - Is current window from localhost?
+ */
+const isLocalhost = function () {
+  if (!window || !window.location) {
+    return false
+  }
+
+  return window.location.hostname === 'localhost'
+}
+
 /**
  * Tries to determine whether a CSP without `unsafe-eval` is set.
  *
@@ -92,6 +105,7 @@ const warnAboutInsecureResources = function () {
   const resources = window.performance
     .getEntriesByType('resource')
     .filter(({ name }) => /^(http|ftp):/gi.test(name || ''))
+    .filter(({ name }) => new URL(name).hostname !== 'localhost')
     .map(({ name }) => `- ${name}`)
     .join('\n')
 
@@ -115,7 +129,7 @@ const warnAboutInsecureResources = function () {
  * Logs a warning message about Node integration.
  */
 const warnAboutNodeWithRemoteContent = function (nodeIntegration: boolean) {
-  if (!nodeIntegration) return
+  if (!nodeIntegration || isLocalhost()) return
 
   if (getIsRemoteProtocol()) {
     const warning = `This renderer process has Node.js integration enabled
@@ -254,7 +268,7 @@ const warnAboutAllowedPopups = function () {
 // Logs a warning message about the remote module
 
 const warnAboutRemoteModuleWithRemoteContent = function (webPreferences?: Electron.WebPreferences) {
-  if (!webPreferences || !webPreferences.enableRemoteModule) return
+  if (!webPreferences || !webPreferences.enableRemoteModule || isLocalhost()) return
 
   if (getIsRemoteProtocol()) {
     const warning = `This renderer process has "enableRemoteModule" enabled

spec/fixtures/pages/base-page-security-onload-message.html

@@ -0,0 +1,10 @@
+<html>
+  <head>
+    <script type="text/javascript">
+      window.ELECTRON_ENABLE_SECURITY_WARNINGS = true
+      window.addEventListener('load', () => console.log('loaded'));
+    </script>
+  </head>
+<body>
+</body>
+</html>

spec/security-warnings-spec.js

@@ -78,6 +78,24 @@ describe('security warnings', () => {
     w.loadURL(`http://127.0.0.1:8881/base-page-security.html`)
   })
 
+  it('should not warn about Node.js integration with remote content from localhost', (done) => {
+    w = new BrowserWindow({
+      show: false,
+      webPreferences: {
+        nodeIntegration: true
+      }
+    })
+    w.webContents.once('console-message', (e, level, message) => {
+      expect(message).to.not.include('Node.js Integration with Remote Content')
+
+      if (message === 'loaded') {
+        done()
+      }
+    })
+
+    w.loadURL(`http://localhost:8881/base-page-security-onload-message.html`)
+  })
+
   const generateSpecs = (description, webPreferences) => {
     describe(description, () => {
       it('should warn about disabled webSecurity', (done) => {
@@ -189,6 +207,20 @@ describe('security warnings', () => {
         w.webContents.openDevTools()
       })
 
+      it('should not warn about loading insecure-resources.html from localhost', (done) => {
+        w = new BrowserWindow({
+          show: false,
+          webPreferences
+        })
+        w.webContents.once('console-message', (e, level, message) => {
+          expect(message).to.not.include('insecure-resources.html')
+          done()
+        })
+
+        w.loadURL(`http://localhost:8881/insecure-resources.html`)
+        w.webContents.openDevTools()
+      })
+
       it('should warn about enabled remote module with remote content', (done) => {
         w = new BrowserWindow({
           show: false,
@@ -201,6 +233,22 @@ describe('security warnings', () => {
 
         w.loadURL(`http://127.0.0.1:8881/base-page-security.html`)
       })
+
+      it('should not warn about enabled remote module with remote content from localhost', (done) => {
+        w = new BrowserWindow({
+          show: false,
+          webPreferences
+        })
+        w.webContents.once('console-message', (e, level, message) => {
+          expect(message).to.not.include('enableRemoteModule')
+
+          if (message === 'loaded') {
+            done()
+          }
+        })
+
+        w.loadURL(`http://localhost:8881/base-page-security-onload-message.html`)
+      })
     })
   }