* feat: add a new contextBridge module
* chore: fix docs linting
* feat: add support for function arguments being proxied
* chore: ensure that contextBridge can only be used when contextIsolation is enabled
* docs: getReverseBinding can be null
* docs: fix broken links in md file
* feat: add support for promises in function parameters
* fix: linting failure for explicit constructor
* Update atom_api_context_bridge.cc
* chore: update docs and API design as per feedback
* refactor: remove reverse bindings and handle GC'able functions across the bridge
* chore: only expose debugGC in testing builds
* fix: do not proxy promises as objects
* spec: add complete spec coverage for contextBridge
* spec: add tests for null/undefined and the anti-overwrite logic
* chore: fix linting
* spec: add complex nested back-and-forth function calling
* fix: expose contextBridge in sandboxed renderers
* refactor: improve security of default_app using the new contextBridge module
* s/bindAPIInMainWorld/exposeInMainWorld
* chore: sorry for this commit, its a big one, I fixed like everything and refactored a lot
* chore: remove PassedValueCache as it is unused now
Values transferred from context A to context B are now cachde in the RenderFramePersistenceStore
* chore: move to anonymous namespace
* refactor: remove PassValueToOtherContextWithCache
* chore: remove commented unused code blocks
* chore: remove .only
* chore: remote commented code
* refactor: extract RenderFramePersistenceStore
* spec: ensure it works with numbered keys
* fix: handle number keys correctly
* fix: sort out the linter
* spec: update default_app asar spec for removed file
* refactor: change signatures to return v8 objects directly rather than the mate dictionary handle
* refactor: use the v8 serializer to support cloneable buffers and other object types
* chore: fix linting
* fix: handle hash collisions with a linked list in the map
* fix: enforce a recursion limit on the context bridge
* chore: fix linting
* chore: remove TODO
* chore: adapt for PR feedback
* chore: remove .only
* chore: clean up docs and clean up the proxy map when objects are released
* chore: ensure we cache object values that are cloned through the V8 serializer
* docs: add clipboard paste Fiddle example
* docs: add clipboard copy Fiddle example
* docs: add appropriate title to Fiddles
Co-Authored-By: John Kleinschmidt <jkleinsc@github.com>
* refactor: use v8 serialization for ipc
* cloning process.env doesn't work
* serialize host objects by enumerating key/values
* new serialization can handle NaN, Infinity, and undefined correctly
* can't allocate v8 objects during GC
* backport microtasks fix
* fix compile
* fix node_stream_loader reentrancy
* update subframe spec to expect undefined instead of null
* write undefined instead of crashing when serializing host objects
* fix webview spec
* fix download spec
* buffers are transformed into uint8arrays
* can't serialize promises
* fix chrome.i18n.getMessage
* fix devtools tests
* fix zoom test
* fix debug build
* fix lint
* update ipcRenderer tests
* fix printToPDF test
* update patch
* remove accidentally re-added remote-side spec
* wip
* don't attempt to serialize host objects
* jump through different hoops to set options.webContents sometimes
* whoops
* fix lint
* clean up error-handling logic
* fix memory leak
* fix lint
* convert host objects using old base::Value serialization
* fix lint more
* fall back to base::Value-based serialization
* remove commented-out code
* add docs to breaking-changes.md
* Update breaking-changes.md
* update ipcRenderer and WebContents docs
* lint
* use named values for format tag
* save a memcpy for ~30% speedup
* get rid of calls to ShallowClone
* extra debugging for paranoia
* d'oh, use the correct named tags
* apparently msstl doesn't like this DCHECK
* funny story about that DCHECK
* disable remote-related functions when enable_remote_module = false
* nits
* use EnableIf to disable remote methods in mojom
* fix include
* review comments
Versions didn't show and I was getting errors in the Developer Tools: `Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self'"`. The cause is probably that Chrome has implemented extra security since this tutorial was created. Added 'unsafe-inline' and it works.
Exposing these in the renderer didn't make sense as they weren't backed
by the same instance / value store. This API should be browser only
especially now that we have nativeTheme.themeSource. Exposing in
//common was a mistake from the beginning.
* docs: Add recent Electron version to security checklist
* Update docs/tutorial/security.md
Co-Authored-By: Mark Lee <malept@users.noreply.github.com>
* Update docs/tutorial/security.md
Co-Authored-By: Pedro Pontes <pepontes@microsoft.com>
* Update docs/tutorial/security.md
Co-Authored-By: Mark Lee <malept@users.noreply.github.com>
* feat: add nativeTheme.shouldUseDarkColorsOverride to allow apps to override Chromiums theme choice
* spec: add tests for shouldUseDarkColorsOverride
* chore: add missing forward declarations
* refactor: rename overrideShouldUseDarkColors to themeSource
* chore: only run appLevelAppearance specs on Mojave and up
* chore: update patch with more info and no define
* Update spec-main/api-native-theme-spec.ts
Co-Authored-By: Jeremy Apthorp <jeremya@chromium.org>
* Update api-native-theme-spec.ts
* Update api-native-theme-spec.ts
* Update api-native-theme-spec.ts
* test: tsify more WebContents specs
* getFocusedWebContents
* setDevToolsWebContents, isFocused, isCurrentlyAudible
* getWebPreferences, openDevTools
* before-input-event
* zoom-changed
* sendInputEvent
* insertCSS
* startDrag
* focus, getOSProcessId
* zoom api
* more closeAllWindows
* fix detached dev tools test
* fix zoom-changed test
* compare the correct kind of id 🤦♂️
* 'fix' openDevTools test to wait for multiple focus events
* fix tests? 🤞
* use request instead of blur to detect openExternal success
* try not timing out the keychain for testing
* use blur event on mac, sigh
* oh, right, still gotta open an actual url
I've asked #19775 because I was frustrated with how hard it was to find a way to fix (instead of hide) the CSP warning in Electron and I complained that even the official quick start guide wasn't compliant with the security checklist at https://electronjs.org/docs/tutorial/security. Someone helped me out with a CSP meta tag which I have later noticed is indeed mentioned in the checklist, too: https://electronjs.org/docs/tutorial/security#csp-meta-tag. I have not used the checklist one verbatim because it prevents a `script` tag from working when serving `index.html` through the `file:` protocol as the quick start does. I instead used the one the person in my issue recommended which seems to work well to me. I am not that well versed in CSP so there might be a better policy to include with the quick start, but this is what I've got for now.