Commit graph

16 commits

Author SHA1 Message Date
Milan Burda
64b7be751a
fix: CSP with unsafe-eval detection with Trusted Types (#27446) 2021-01-25 10:31:25 +09:00
Samuel Attard
3db4e612f4
fix: handle security warnings promise when JS is disabled (#26837) 2020-12-07 10:58:00 -08:00
Milan Burda
2c68bad631
refactor: create IPC_MESSAGES enum for IPC message channels (#25694) 2020-10-14 00:11:06 +03:00
Jeremy Rose
822b044068
fix: suppress worldSafe warning emitted from security checks (#25692) 2020-10-01 08:59:52 -07:00
Samuel Attard
5d657dece4
build: enable JS semicolons (#22783) 2020-03-20 13:28:31 -07:00
Samuel Attard
b87b501161
build: update eslint + eslint plugins (#22777)
* build: run eslint --fix

* chore: manually fix all hasOwnProperty errors

* chore: manually fix all void 0 vs undefined errors

* chore: manually fix all async-in-promise errors

* chore: manually fix lexical declaration in case block
2020-03-20 11:12:18 -04:00
Jeremy Apthorp
2e1531ad90 feat: warn when remote is used without enableRemoteModule: true (#21546)
* feat: warn when remote is used without enableRemoteModule: true

* fix security warning
2020-01-13 15:23:03 +09:00
Milan Burda
81e9dab52f refactor: replace ipcRendererUtils.invoke() with ipcRendererInternal.invoke() (#19574) 2019-08-23 15:45:50 -07:00
Jerry Wu
dee331519c fix: disable nodeIntegration & insecure resource warnings for localhost (#18814)
* fix: disable remote host nodeIntegration warning for localhost

In warnAboutNodeWithRemoteContent(), add a check to see if the hostname
is "localhost" and prevent the warning message if it is.

* fix: disable loading insecure resources warning for localhost

In warnAboutInsecureResources(), filter out resources from localhost
since they are most likely not a threat.

* test: add tests for ignoring security warnings when using localhost

Add tests for ignoring warning messages for the following scenarios:
  1. node integration with remote content from localhost
  2. loading insecure resources from localhost

* test: fix insecure resource test

* test: pass nodeIntegration with remote test on did-finish-load

* test: maybe fix node integration test (error w/ conv circular struct)

* test: update test description

* test: use "load" event to check when nodeIntegration test has finished

Instead of relying on the "did-finish-load" event, which may result in
a race condition, add an "onload" handler that logs "loaded" to the
console. This will execute _after_ the nodeIntegration check, so it
can be safely used as a signal to indicate that the test is done.

* test: rename base-page-security-load-message.html

* fix: ignore enabled remote module warning for localhost

* refactor: add isLocalhost()
2019-07-02 19:36:50 +09:00
Jerry Wu
d5811607eb fix: extra space in security warning message causing list misalignment (#18815) 2019-06-18 09:59:02 -07:00
Milan Burda
0af3548b55 feat: add security warning for remote module with remote content (#18822) 2019-06-17 14:21:30 -07:00
Milan Burda
c9bca78a7a refactor: use async invoke to get webPreferences in security-warnings.ts (#18821) 2019-06-17 10:57:09 -07:00
Samuel Attard
bc527f6b51
refactor: bundle the browser and renderer process electron code (#18553)
* refactor: bundle the browser and renderer process electron code

* Bundles browser/init and renderer/init
  * Improves load performance of main process by ~40%
  * Improves load performance of renderer process by ~30%
* Prevents users from importing our "requiring" our internal logic such
as ipc-main-internal.  This makes those message buses safer as they are
less accessible, there is still some more work to be done though to lock
down those buses completely.
* The electron.asar file now only contains 2 files, as a future
improvement maybe we can use atom_natives to ship these two files
embedded in the binary
* This also removes our dependency on browserify which had some strange
edge cases that caused us to have to hack around require-order and
stopped us using certain ES6/7 features we should have been able to use
(async / await in some files in the sandboxed renderer init script)

TLDR: Things are faster and better :)

* fix: I really do not want to talk about it

* chore: add performance improvements from debugging

* fix: resolve the provided path so webpack thinks it is absolute

* chore: fixup per PR review

* fix: use webpacks ProvidePlugin to keep global, process and Buffer alive after deletion from global scope for use in internal code

* fix: bundle worker/init as well to make node-in-workers work

* chore: update wording as per feedback

* chore: make the timers hack work when yarn is not used
2019-06-02 13:03:03 -07:00
Milan Burda
2e89348541 feat: promisify executeJavaScript (#17312) 2019-03-14 12:08:54 -07:00
ZYSzys
a40d826b11 chore: remove unused catch bindings (#16121) 2019-02-21 09:26:07 +00:00
Felix Rieseberg
6b3ff4f1f7 refactor: Port security warnings to TypeScript (#16937)
* refactor: Port security-warnings to TypeScript

* chore: make aliasify work on .ts files as well

* refactor: Implement feedback <3

* refactor: Correctly call executeJavaScript
2019-02-16 17:06:30 -08:00
Renamed from lib/renderer/security-warnings.js (Browse further)