diff --git a/atom/renderer/atom_sandboxed_renderer_client.cc b/atom/renderer/atom_sandboxed_renderer_client.cc index 042a89bf839d..b28d89236c00 100644 --- a/atom/renderer/atom_sandboxed_renderer_client.cc +++ b/atom/renderer/atom_sandboxed_renderer_client.cc @@ -81,11 +81,19 @@ base::CommandLine::StringVector GetArgv() { return base::CommandLine::ForCurrentProcess()->argv(); } +v8::Local CreatePreloadScript(v8::Isolate* isolate, + v8::Local preloadSrc) { + auto script = v8::Script::Compile(preloadSrc); + auto func = script->Run(); + return func; +} + void InitializeBindings(v8::Local binding, v8::Local context) { auto* isolate = context->GetIsolate(); mate::Dictionary b(isolate, binding); b.SetMethod("get", GetBinding); + b.SetMethod("createPreloadScript", CreatePreloadScript); b.SetMethod("crash", AtomBindings::Crash); b.SetMethod("hang", AtomBindings::Hang); b.SetMethod("getArgv", GetArgv); diff --git a/lib/sandboxed_renderer/init.js b/lib/sandboxed_renderer/init.js index d4d63cf2fca5..7018ca897e39 100644 --- a/lib/sandboxed_renderer/init.js +++ b/lib/sandboxed_renderer/init.js @@ -112,10 +112,8 @@ if (preloadSrc) { ${preloadSrc} })` - // eval in window scope: - // http://www.ecma-international.org/ecma-262/5.1/#sec-10.4.2 - const geval = eval - const preloadFn = geval(preloadWrapperSrc) + // eval in window scope + const preloadFn = binding.createPreloadScript(preloadWrapperSrc) const {setImmediate, clearImmediate} = require('timers') preloadFn(preloadRequire, preloadProcess, Buffer, global, setImmediate, clearImmediate) } else if (preloadError) { diff --git a/spec/fixtures/module/preload-context.js b/spec/fixtures/module/preload-context.js new file mode 100644 index 000000000000..3d3f8bc9755c --- /dev/null +++ b/spec/fixtures/module/preload-context.js @@ -0,0 +1,10 @@ +var test = 'test' // eslint-disable-line + +const types = { + require: typeof require, + electron: typeof electron, + window: typeof window, + localVar: typeof window.test +} + +console.log(JSON.stringify(types)) diff --git a/spec/webview-spec.js b/spec/webview-spec.js index 1025cf744578..c68eb8b01fb1 100644 --- a/spec/webview-spec.js +++ b/spec/webview-spec.js @@ -249,6 +249,22 @@ describe(' tag', function () { }) }) + it('runs in the correct scope when sandboxed', async () => { + const message = await startLoadingWebViewAndWaitForMessage(webview, { + preload: `${fixtures}/module/preload-context.js`, + src: `file://${fixtures}/api/blank.html`, + webpreferences: 'sandbox=yes' + }) + + const types = JSON.parse(message) + expect(types).to.include({ + require: 'function', // arguments passed to it should be availale + electron: 'undefined', // objects from the scope it is called from should not be available + window: 'object', // the window object should be available + localVar: 'undefined' // but local variables should not be exposed to the window + }) + }) + it('preload script can require modules that still use "process" and "Buffer" when nodeintegration is off', async () => { const message = await startLoadingWebViewAndWaitForMessage(webview, { preload: `${fixtures}/module/preload-node-off-wrapper.js`,