From eb223f8bc3bb131775b1b19881e0438be065bf17 Mon Sep 17 00:00:00 2001 From: Hari Juturu Date: Mon, 2 Jul 2018 09:06:26 -0700 Subject: [PATCH] Enable webview in sandbox renderer (#13435) * Enable webview in sandbox renderer Security: Inherit embedder prefs onto webview * cache lastwebprefs --- .../atom_sandboxed_renderer_client.cc | 6 ++++++ lib/browser/guest-view-manager.js | 17 +++++++++++++++++ lib/sandboxed_renderer/init.js | 10 ++++++++++ spec/api-browser-window-spec.js | 19 ++++++++++++++++++- 4 files changed, 51 insertions(+), 1 deletion(-) diff --git a/atom/renderer/atom_sandboxed_renderer_client.cc b/atom/renderer/atom_sandboxed_renderer_client.cc index ca66298fce10..042a89bf839d 100644 --- a/atom/renderer/atom_sandboxed_renderer_client.cc +++ b/atom/renderer/atom_sandboxed_renderer_client.cc @@ -92,6 +92,12 @@ void InitializeBindings(v8::Local binding, b.SetMethod("getHeapStatistics", &AtomBindings::GetHeapStatistics); b.SetMethod("getProcessMemoryInfo", &AtomBindings::GetProcessMemoryInfo); b.SetMethod("getSystemMemoryInfo", &AtomBindings::GetSystemMemoryInfo); + + // Pass in CLI flags needed to setup the renderer + base::CommandLine* command_line = base::CommandLine::ForCurrentProcess(); + if (command_line->HasSwitch(switches::kGuestInstanceID)) + b.Set(options::kGuestInstanceID, + command_line->GetSwitchValueASCII(switches::kGuestInstanceID)); } class AtomSandboxedRenderFrameObserver : public AtomRenderFrameObserver { diff --git a/lib/browser/guest-view-manager.js b/lib/browser/guest-view-manager.js index 28f1f4894b6e..da2663e6060a 100644 --- a/lib/browser/guest-view-manager.js +++ b/lib/browser/guest-view-manager.js @@ -240,6 +240,23 @@ const attachGuest = function (event, elementInstanceId, guestInstanceId, params) webPreferences.disablePopups = true } + // Security options that guest will always inherit from embedder + const inheritedWebPreferences = new Map([ + ['contextIsolation', true], + ['javascript', false], + ['nativeWindowOpen', true], + ['nodeIntegration', false], + ['sandbox', true] + ]) + + // Inherit certain option values from embedder + const lastWebPreferences = embedder.getLastWebPreferences() + for (const [name, value] of inheritedWebPreferences) { + if (lastWebPreferences[name] === value) { + webPreferences[name] = value + } + } + embedder.emit('will-attach-webview', event, webPreferences, params) if (event.defaultPrevented) { if (guest.viewInstanceId == null) guest.viewInstanceId = params.instanceId diff --git a/lib/sandboxed_renderer/init.js b/lib/sandboxed_renderer/init.js index dcb1357d30ee..d4d63cf2fca5 100644 --- a/lib/sandboxed_renderer/init.js +++ b/lib/sandboxed_renderer/init.js @@ -78,6 +78,16 @@ if (window.location.protocol === 'chrome-devtools:') { require('../renderer/inspector') } +if (binding.guestInstanceId) { + process.guestInstanceId = parseInt(binding.guestInstanceId) +} + +if (!process.guestInstanceId && preloadProcess.argv.indexOf('--webview-tag=true') !== -1) { + // don't allow recursive `` + require('../renderer/web-view/web-view') + require('../renderer/web-view/web-view-attributes') +} + // Wrap the script into a function executed in global scope. It won't have // access to the current scope, so we'll expose a few objects as arguments: // diff --git a/spec/api-browser-window-spec.js b/spec/api-browser-window-spec.js index 31064b00b76f..41a361a91318 100644 --- a/spec/api-browser-window-spec.js +++ b/spec/api-browser-window-spec.js @@ -8,7 +8,7 @@ const os = require('os') const qs = require('querystring') const http = require('http') const {closeWindow} = require('./window-helpers') - +const {emittedOnce} = require('./events-helpers') const {ipcRenderer, remote, screen} = require('electron') const {app, ipcMain, BrowserWindow, BrowserView, protocol, session, webContents} = remote @@ -1573,6 +1573,23 @@ describe('BrowserWindow module', () => { }) w.loadURL('file://' + path.join(fixtures, 'api', 'preload.html')) }) + + it('webview in sandbox renderer', async () => { + w.destroy() + w = new BrowserWindow({ + show: false, + webPreferences: { + sandbox: true, + preload: preload, + webviewTag: true + } + }) + w.loadURL(`file://${fixtures}/pages/webview-did-attach-event.html`) + + const [, webContents] = await emittedOnce(w.webContents, 'did-attach-webview') + const [, id] = await emittedOnce(ipcMain, 'webview-dom-ready') + expect(webContents.id).to.equal(id) + }) }) describe('nativeWindowOpen option', () => {