fix: ensure no node globals passively leak when nodeIntegration is disabled (#21342)
This commit is contained in:
parent
66035a2448
commit
ee58d60612
3 changed files with 46 additions and 0 deletions
|
@ -192,6 +192,8 @@ if (nodeIntegration) {
|
|||
delete global.setImmediate
|
||||
delete global.clearImmediate
|
||||
delete global.global
|
||||
delete global.root
|
||||
delete global.GLOBAL
|
||||
})
|
||||
}
|
||||
}
|
||||
|
|
|
@ -1543,6 +1543,37 @@ describe('BrowserWindow module', () => {
|
|||
sandbox: true,
|
||||
contextIsolation: true
|
||||
})
|
||||
it('does not leak any node globals on the window object with nodeIntegration is disabled', async () => {
|
||||
let w = new BrowserWindow({
|
||||
webPreferences: {
|
||||
contextIsolation: false,
|
||||
nodeIntegration: false,
|
||||
preload: path.resolve(fixtures, 'module', 'empty.js')
|
||||
},
|
||||
show: false
|
||||
})
|
||||
w.loadFile(path.join(fixtures, 'api', 'globals.html'))
|
||||
const [, notIsolated] = await emittedOnce(ipcMain, 'leak-result')
|
||||
expect(notIsolated).to.have.property('globals')
|
||||
|
||||
w.destroy()
|
||||
w = new BrowserWindow({
|
||||
webPreferences: {
|
||||
contextIsolation: true,
|
||||
nodeIntegration: false,
|
||||
preload: path.resolve(fixtures, 'module', 'empty.js')
|
||||
},
|
||||
show: false
|
||||
})
|
||||
w.loadFile(path.join(fixtures, 'api', 'globals.html'))
|
||||
const [, isolated] = await emittedOnce(ipcMain, 'leak-result')
|
||||
expect(isolated).to.have.property('globals')
|
||||
const notIsolatedGlobals = new Set(notIsolated.globals)
|
||||
for (const isolatedGlobal of isolated.globals) {
|
||||
notIsolatedGlobals.delete(isolatedGlobal)
|
||||
}
|
||||
expect([...notIsolatedGlobals]).to.deep.equal([], 'non-isoalted renderer should have no additional globals')
|
||||
})
|
||||
|
||||
it('loads the script before other scripts in window', async () => {
|
||||
const preload = path.join(fixtures, 'module', 'set-global.js')
|
||||
|
|
13
spec/fixtures/api/globals.html
vendored
Normal file
13
spec/fixtures/api/globals.html
vendored
Normal file
|
@ -0,0 +1,13 @@
|
|||
<!DOCTYPE html>
|
||||
<html lang="en">
|
||||
<head>
|
||||
<title>Document</title>
|
||||
</head>
|
||||
<body>
|
||||
<script>
|
||||
window.postMessage({
|
||||
globals: Object.keys(Object.getOwnPropertyDescriptors(window))
|
||||
})
|
||||
</script>
|
||||
</body>
|
||||
</html>
|
Loading…
Reference in a new issue