Detect node integration in JavaScript

This commit is contained in:
Cheng Zhao 2014-10-25 18:51:26 +08:00
parent 04f1860bf5
commit f629fa7b27
6 changed files with 57 additions and 105 deletions

View file

@ -16,6 +16,7 @@ app.on('ready', function() {
width: 800,
height: 600,
resizable: false,
'node-integration': 'disable',
'auto-hide-menu-bar': true,
'use-content-size': true,
'web-preferences': {

View file

@ -76,13 +76,6 @@ bool AtomRenderViewObserver::OnMessageReceived(const IPC::Message& message) {
void AtomRenderViewObserver::OnBrowserMessage(const base::string16& channel,
const base::ListValue& args) {
if (!render_view()->GetWebView())
return;
blink::WebFrame* frame = render_view()->GetWebView()->mainFrame();
if (!renderer_client_->IsNodeBindingEnabled(frame))
return;
renderer_client_->atom_bindings()->OnBrowserMessage(
render_view(), channel, args);
}

View file

@ -19,7 +19,6 @@
#include "base/command_line.h"
#include "native_mate/converter.h"
#include "third_party/WebKit/public/web/WebCustomElement.h"
#include "third_party/WebKit/public/web/WebDocument.h"
#include "third_party/WebKit/public/web/WebFrame.h"
#include "third_party/WebKit/public/web/WebKit.h"
#include "third_party/WebKit/public/web/WebRuntimeFeatures.h"
@ -30,13 +29,6 @@ namespace atom {
namespace {
// Security tokens.
const char* kSecurityAll = "all";
const char* kSecurityExceptIframe = "except-iframe";
const char* kSecurityManualEnableIframe = "manual-enable-iframe";
const char* kSecurityDisable = "disable";
const char* kSecurityEnableNodeIntegration = "enable-node-integration";
bool IsSwitchEnabled(base::CommandLine* command_line,
const char* switch_string,
bool* enabled) {
@ -74,24 +66,9 @@ class AtomRenderFrameObserver : public content::RenderFrameObserver {
} // namespace
AtomRendererClient::AtomRendererClient()
: node_integration_(EXCEPT_IFRAME),
: node_bindings_(NodeBindings::Create(false)),
atom_bindings_(new AtomRendererBindings),
main_frame_(NULL) {
// Translate the token.
std::string token = CommandLine::ForCurrentProcess()->
GetSwitchValueASCII(switches::kNodeIntegration);
if (token == kSecurityExceptIframe)
node_integration_ = EXCEPT_IFRAME;
else if (token == kSecurityManualEnableIframe)
node_integration_ = MANUAL_ENABLE_IFRAME;
else if (token == kSecurityDisable)
node_integration_ = DISABLE;
else if (token == kSecurityAll)
node_integration_ = ALL;
if (IsNodeBindingEnabled()) {
node_bindings_.reset(NodeBindings::Create(false));
atom_bindings_.reset(new AtomRendererBindings);
}
}
AtomRendererClient::~AtomRendererClient() {
@ -103,9 +80,6 @@ void AtomRendererClient::WebKitInitialized() {
blink::WebCustomElement::addEmbedderCustomElementName("webview");
blink::WebCustomElement::addEmbedderCustomElementName("browserplugin");
if (!IsNodeBindingEnabled())
return;
node_bindings_->Initialize();
node_bindings_->PrepareMessageLoop();
@ -146,9 +120,6 @@ void AtomRendererClient::DidCreateScriptContext(blink::WebFrame* frame,
if (main_frame_ == NULL)
main_frame_ = frame;
if (!IsNodeBindingEnabled(frame))
return;
v8::Context::Scope scope(context);
// Check the existance of process object to prevent duplicate initialization.
@ -177,9 +148,6 @@ void AtomRendererClient::WillReleaseScriptContext(
blink::WebFrame* frame,
v8::Handle<v8::Context> context,
int world_id) {
if (!IsNodeBindingEnabled(frame))
return;
node::Environment* env = node::Environment::GetCurrent(context);
if (env == NULL) {
LOG(ERROR) << "Encounter a non-node context when releasing script context";
@ -225,27 +193,6 @@ bool AtomRendererClient::ShouldFork(blink::WebFrame* frame,
return http_method == "GET";
}
bool AtomRendererClient::IsNodeBindingEnabled(blink::WebFrame* frame) {
if (node_integration_ == DISABLE)
return false;
// Node integration is enabled in main frame unless explictly disabled.
else if (frame == main_frame_)
return true;
// Enable node integration in chrome extensions.
else if (frame != NULL &&
GURL(frame->document().url()).SchemeIs("chrome-extension"))
return true;
else if (node_integration_ == MANUAL_ENABLE_IFRAME &&
frame != NULL &&
frame->uniqueName().utf8().find(kSecurityEnableNodeIntegration)
== std::string::npos)
return false;
else if (node_integration_ == EXCEPT_IFRAME && frame != NULL)
return false;
else
return true;
}
void AtomRendererClient::EnableWebRuntimeFeatures() {
base::CommandLine* command_line = base::CommandLine::ForCurrentProcess();
bool b;

View file

@ -26,8 +26,6 @@ class AtomRendererClient : public content::ContentRendererClient,
AtomRendererClient();
virtual ~AtomRendererClient();
bool IsNodeBindingEnabled(blink::WebFrame* frame = NULL);
// Forwarded by RenderFrameObserver.
void WillReleaseScriptContext(blink::WebFrame* frame,
v8::Handle<v8::Context> context,
@ -70,9 +68,6 @@ class AtomRendererClient : public content::ContentRendererClient,
scoped_ptr<NodeBindings> node_bindings_;
scoped_ptr<AtomRendererBindings> atom_bindings_;
// The level of node integration we should support.
NodeIntegration node_integration_;
// The main frame.
blink::WebFrame* main_frame_;

View file

@ -20,37 +20,19 @@ globalPaths.push path.join(process.resourcesPath, 'app')
# Import common settings.
require path.resolve(__dirname, '..', '..', 'common', 'lib', 'init.js')
# Expose global variables.
global.require = require
global.module = module
# Emit the 'exit' event when page is unloading.
window.addEventListener 'unload', ->
process.emit 'exit'
# Set the __filename to the path of html file if it's file: or asar: protocol.
if window.location.protocol in ['file:', 'asar:']
pathname =
if process.platform is 'win32' and window.location.pathname[0] is '/'
window.location.pathname.substr 1
else
window.location.pathname
global.__filename = path.normalize decodeURIComponent(pathname)
global.__dirname = path.dirname global.__filename
# Set module's filename so relative require can work as expected.
module.filename = global.__filename
# Also search for module under the html file.
module.paths = module.paths.concat Module._nodeModulePaths(global.__dirname)
else
global.__filename = __filename
global.__dirname = __dirname
if '--guest' in process.argv
# This is a guest web view.
isGuest = true
require('web-frame').setName 'ATOM_SHELL_GUEST_WEB_VIEW'
# Process command line arguments.
isGuest = false
nodeIntegration = 'all'
for arg in process.argv
if arg is '--guest'
# This is a guest web view.
isGuest = true
# Set the frame name to make AtomRendererClient recognize this guest.
require('web-frame').setName 'ATOM_SHELL_GUEST_WEB_VIEW'
else
index = arg.indexOf '--node-integration='
continue unless index == 0
nodeIntegration = arg.substr arg.indexOf('=') + 1
if location.protocol is 'chrome-devtools:'
# Override some inspector APIs.
@ -63,3 +45,44 @@ else
require path.join(__dirname, 'override')
# Load webview tag implementation.
require path.join(__dirname, 'web-view') unless isGuest
if nodeIntegration in ['true', 'all', 'except-iframe', 'manual-enable-iframe']
# Export node bindings to global.
global.require = require
global.module = module
# Set the __filename to the path of html file if it's file: or asar: protocol.
if window.location.protocol in ['file:', 'asar:']
pathname =
if process.platform is 'win32' and window.location.pathname[0] is '/'
window.location.pathname.substr 1
else
window.location.pathname
global.__filename = path.normalize decodeURIComponent(pathname)
global.__dirname = path.dirname global.__filename
# Set module's filename so relative require can work as expected.
module.filename = global.__filename
# Also search for module under the html file.
module.paths = module.paths.concat Module._nodeModulePaths(global.__dirname)
else
global.__filename = __filename
global.__dirname = __dirname
# Redirect window.onerror to uncaughtException.
window.onerror = (error) ->
if global.process.listeners('uncaughtException').length > 0
global.process.emit 'uncaughtException', error
true
else
false
# Emit the 'exit' event when page is unloading.
window.addEventListener 'unload', ->
process.emit 'exit'
else
# There still some native initialization codes needs "process", delete the
# global reference after they are done.
setImmediate ->
delete global.process

View file

@ -1,10 +1,3 @@
# Redirect window.onerror to uncaughtException.
window.onerror = (error) ->
if global.process.listeners('uncaughtException').length > 0
global.process.emit 'uncaughtException', error
true
else
false
# Override default window.close, see:
# https://github.com/atom/atom-shell/issues/70