Enable webview in sandbox renderer (#13435)
* Enable webview in sandbox renderer Security: Inherit embedder prefs onto webview * cache lastwebprefs
This commit is contained in:
parent
42d173b343
commit
eb223f8bc3
4 changed files with 51 additions and 1 deletions
|
@ -92,6 +92,12 @@ void InitializeBindings(v8::Local<v8::Object> binding,
|
||||||
b.SetMethod("getHeapStatistics", &AtomBindings::GetHeapStatistics);
|
b.SetMethod("getHeapStatistics", &AtomBindings::GetHeapStatistics);
|
||||||
b.SetMethod("getProcessMemoryInfo", &AtomBindings::GetProcessMemoryInfo);
|
b.SetMethod("getProcessMemoryInfo", &AtomBindings::GetProcessMemoryInfo);
|
||||||
b.SetMethod("getSystemMemoryInfo", &AtomBindings::GetSystemMemoryInfo);
|
b.SetMethod("getSystemMemoryInfo", &AtomBindings::GetSystemMemoryInfo);
|
||||||
|
|
||||||
|
// Pass in CLI flags needed to setup the renderer
|
||||||
|
base::CommandLine* command_line = base::CommandLine::ForCurrentProcess();
|
||||||
|
if (command_line->HasSwitch(switches::kGuestInstanceID))
|
||||||
|
b.Set(options::kGuestInstanceID,
|
||||||
|
command_line->GetSwitchValueASCII(switches::kGuestInstanceID));
|
||||||
}
|
}
|
||||||
|
|
||||||
class AtomSandboxedRenderFrameObserver : public AtomRenderFrameObserver {
|
class AtomSandboxedRenderFrameObserver : public AtomRenderFrameObserver {
|
||||||
|
|
|
@ -240,6 +240,23 @@ const attachGuest = function (event, elementInstanceId, guestInstanceId, params)
|
||||||
webPreferences.disablePopups = true
|
webPreferences.disablePopups = true
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// Security options that guest will always inherit from embedder
|
||||||
|
const inheritedWebPreferences = new Map([
|
||||||
|
['contextIsolation', true],
|
||||||
|
['javascript', false],
|
||||||
|
['nativeWindowOpen', true],
|
||||||
|
['nodeIntegration', false],
|
||||||
|
['sandbox', true]
|
||||||
|
])
|
||||||
|
|
||||||
|
// Inherit certain option values from embedder
|
||||||
|
const lastWebPreferences = embedder.getLastWebPreferences()
|
||||||
|
for (const [name, value] of inheritedWebPreferences) {
|
||||||
|
if (lastWebPreferences[name] === value) {
|
||||||
|
webPreferences[name] = value
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
embedder.emit('will-attach-webview', event, webPreferences, params)
|
embedder.emit('will-attach-webview', event, webPreferences, params)
|
||||||
if (event.defaultPrevented) {
|
if (event.defaultPrevented) {
|
||||||
if (guest.viewInstanceId == null) guest.viewInstanceId = params.instanceId
|
if (guest.viewInstanceId == null) guest.viewInstanceId = params.instanceId
|
||||||
|
|
|
@ -78,6 +78,16 @@ if (window.location.protocol === 'chrome-devtools:') {
|
||||||
require('../renderer/inspector')
|
require('../renderer/inspector')
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if (binding.guestInstanceId) {
|
||||||
|
process.guestInstanceId = parseInt(binding.guestInstanceId)
|
||||||
|
}
|
||||||
|
|
||||||
|
if (!process.guestInstanceId && preloadProcess.argv.indexOf('--webview-tag=true') !== -1) {
|
||||||
|
// don't allow recursive `<webview>`
|
||||||
|
require('../renderer/web-view/web-view')
|
||||||
|
require('../renderer/web-view/web-view-attributes')
|
||||||
|
}
|
||||||
|
|
||||||
// Wrap the script into a function executed in global scope. It won't have
|
// Wrap the script into a function executed in global scope. It won't have
|
||||||
// access to the current scope, so we'll expose a few objects as arguments:
|
// access to the current scope, so we'll expose a few objects as arguments:
|
||||||
//
|
//
|
||||||
|
|
|
@ -8,7 +8,7 @@ const os = require('os')
|
||||||
const qs = require('querystring')
|
const qs = require('querystring')
|
||||||
const http = require('http')
|
const http = require('http')
|
||||||
const {closeWindow} = require('./window-helpers')
|
const {closeWindow} = require('./window-helpers')
|
||||||
|
const {emittedOnce} = require('./events-helpers')
|
||||||
const {ipcRenderer, remote, screen} = require('electron')
|
const {ipcRenderer, remote, screen} = require('electron')
|
||||||
const {app, ipcMain, BrowserWindow, BrowserView, protocol, session, webContents} = remote
|
const {app, ipcMain, BrowserWindow, BrowserView, protocol, session, webContents} = remote
|
||||||
|
|
||||||
|
@ -1573,6 +1573,23 @@ describe('BrowserWindow module', () => {
|
||||||
})
|
})
|
||||||
w.loadURL('file://' + path.join(fixtures, 'api', 'preload.html'))
|
w.loadURL('file://' + path.join(fixtures, 'api', 'preload.html'))
|
||||||
})
|
})
|
||||||
|
|
||||||
|
it('webview in sandbox renderer', async () => {
|
||||||
|
w.destroy()
|
||||||
|
w = new BrowserWindow({
|
||||||
|
show: false,
|
||||||
|
webPreferences: {
|
||||||
|
sandbox: true,
|
||||||
|
preload: preload,
|
||||||
|
webviewTag: true
|
||||||
|
}
|
||||||
|
})
|
||||||
|
w.loadURL(`file://${fixtures}/pages/webview-did-attach-event.html`)
|
||||||
|
|
||||||
|
const [, webContents] = await emittedOnce(w.webContents, 'did-attach-webview')
|
||||||
|
const [, id] = await emittedOnce(ipcMain, 'webview-dom-ready')
|
||||||
|
expect(webContents.id).to.equal(id)
|
||||||
|
})
|
||||||
})
|
})
|
||||||
|
|
||||||
describe('nativeWindowOpen option', () => {
|
describe('nativeWindowOpen option', () => {
|
||||||
|
|
Loading…
Reference in a new issue