* remove painting from linux frame layout
* use chromium csd strategy for frameless windows
* Apply suggestions from code review
Remove unneeded virtual methods
Co-authored-by: Charles Kerr <charles@charleskerr.com>
* removed inline destructors
---------
Co-authored-by: Charles Kerr <charles@charleskerr.com>
* refactor: migrate electron::api::tray to cppgc
* chore: add Tray to wrappable_pointer_tags.h patch
* fixup! refactor: migrate electron::api::tray to cppgc
clear keep_alive_ if error is thrown in constructor
* refactor: make Tray::menu_ a cppgc::Member<Menu>
* fix: prevent traffic light buttons flashing on deminiaturize
When a window with a custom `trafficLightPosition` is minimized and
restored, macOS re-layouts the title bar container during the
deminiaturize animation, causing the traffic light buttons to briefly
appear at their default position before being repositioned.
Fix this by hiding the buttons container in `windowWillMiniaturize` and
restoring them (with a redraw to the correct position) in
`windowDidDeminiaturize`.
* chore: address feedback from review
* fix: continue to run ProxyingURLLoaderFactory for intercepted protocols
* test: webRequest handlers when loading browser windows
* fix: wrap special URL loaders factories with ProxyingURLLoaderFactory
* test: webRequest handlers when using net.fetch
* refactor: remove redundant intercepted protocol handling
AsarURLLoaderFactory is now intercepted by ProxyingURLLoaderFactory, which already handles when the file:// scheme is intercepted.
* fix: check before using saved headers in OnReceiveResponse
* fix: run webRequest handlers when loading file service workers
* test: handlers when loading file service workers
* refactor: add shared CreateURLLoaderFactoryBuilder method
---------
Co-authored-by: John Kleinschmidt <jkleinsc@electronjs.org>
* Feat: support getDevToolsId() on WebContents
* Rename to `getOrCreateDevToolsTargetId`
* build: use spawn instead of spawnSync for build (#49774)
* Fix build
* formatting
---------
Co-authored-by: John Kleinschmidt <jkleinsc@electronjs.org>
fix: validate protocol scheme names in setAsDefaultProtocolClient
On Windows, `app.setAsDefaultProtocolClient(protocol)` directly
concatenates the protocol string into the registry key path with no
validation. A protocol name containing `\` could write to an arbitrary
subkey under `HKCU\Software\Classes\`, potentially hijacking existing
protocol handlers.
To fix this, add `Browser::IsValidProtocolScheme()` which validates that a protocol
name conforms to the RFC 3986 scheme grammar:
scheme = ALPHA *( ALPHA / DIGIT / "+" / "-" / "." )
This rejects backslashes, forward slashes, whitespace, and any other
characters not permitted in URI schemes.
* fix: use requesting frame origin instead of top-level URL for permissions
`WebContentsPermissionHelper::RequestPermission` passes
`web_contents_->GetLastCommittedURL()` as the origin to the permission
manager instead of the actual requesting frame's origin. This enables
origin confusion when granting permissions to embedded third-party iframes,
since app permission handlers see the top-level origin instead of the
iframe's. The same pattern exists in the HID, USB, and Serial device
choosers, where grants are keyed to the primary main frame's origin rather
than the requesting frame's.
Fix this by using `requesting_frame->GetLastCommittedOrigin()` in all
affected code paths, renaming `details.requestingUrl` to
`details.requestingOrigin`, and populating it with the serialized
origin only.
* chore: keep requestingUrl name in permission handler details
The previous commit changed the details.requestingUrl field to
details.requestingOrigin in permission request/check handlers. That
field was already populated from the requesting frame's RFH, so the
rename was unnecessary and would break apps that read the existing
property. Revert to requestingUrl to preserve the existing API shape.
The functional changes to use the requesting frame in
WebContentsPermissionHelper and the HID/USB/Serial choosers remain.
---------
Co-authored-by: Samuel Attard <sattard@anthropic.com>
Previously the renderer checked a process-wide command-line switch to
decide whether to create a Node.js environment for dedicated workers.
When a renderer process hosted multiple WebContents with different
nodeIntegrationInWorker values (e.g. via window.open with overridden
webPreferences in setWindowOpenHandler), all workers in the process
used whichever value the first WebContents set on the command line.
Instead, plumb the flag through blink's WorkerSettings at worker
creation time, copying it from the initiating frame's WebPreferences.
The check on the worker thread then reads the per-worker value. Nested
workers inherit the flag from their parent worker via
WorkerSettings::Copy.
The --node-integration-in-worker command-line switch is removed as it
is no longer consumed.
* test: fix flaky mac dock & autofill tests
* fix: add null checks for the parent widget before calling IsVisible()
* test: remove autofill test change (failing on Linux), keep crash fix
* chore: autofill updates from code review
* docs: document that getCursorScreenPoint() needs a Window on Wayland
* feat: add IsWayland() helper
* fix: Wayland crash in GetCursorScreenPoint()
fix: support Screen::GetCursorScreenPoint() on X11
* refactor: replace deprecated NSUserNotifications with User Notifications
Removes deprecated NSUserNotification API, now using User Notifications
It replaces API calls for generating, scheduling, and receiving native
macOS notifications with equivalent API calls from the new framework,
or functionally equivalent implementations.
To preserve the existing Notification module API, special handling was
required in certain cases:
- Dynamically declared notification actions
Typically, notification actions should be declared at app launch time
when using the User Notifications framework. However, this isn’t
compatible with Electron’s architecture. Instead, we dynamically
declare new notifications actions when necessary and carefully manage
the existing actions registered at runtime.
- Localizations for ‘Reply’ and ‘Show’ labels
New translation files are added and processed through GRIT to add
localizations for “Reply” and “Show” button labels which were
initially supplied by the NSUserNotification framework.
* Use NotificationImageRetainer pattern from //chrome
* build: fix lint
* build: update config to handle --translate-gender for pak files
* test: also sign on arm64
* fix: add error handling for scheduling notification
* docs: add details to breaking changes
* docs: clarify breaking change details
* docs: add details for notifications tutorial and API documentation
---------
Co-authored-by: Keeley Hammond <khammond@slack-corp.com>
PowerMonitor registered OS-level callbacks (HWND UserData and
WTS/suspend notifications on Windows, shutdown handler and lock-screen
observer on macOS) but never cleaned them up in its destructor. The JS
layer also only held the native object in a closure-local variable,
allowing GC to reclaim it while those registrations still referenced
freed memory.
Retain the native PowerMonitor at module level in power-monitor.ts so
it cannot be garbage-collected. Add DestroyPlatformSpecificMonitors()
to properly tear down OS registrations on destruction: on Windows,
unregister WTS and suspend notifications, clear GWLP_USERDATA, and
destroy the HWND; on macOS, remove the emitter from the global
MacLockMonitor and reset the Browser shutdown handler.
Previously, GetProtocolLaunchPath and FormatCommandLineString in
browser_win.cc used naive quoting which could break when paths or
arguments contained backslashes, spaces, or embedded quotes.
Fix by extracting the CommandLineToArgvW-compatible quoting logic from
relauncher_win.cc into a shared utility and use it in both browser_win.cc
and relauncher_win.cc to properly quote the exe path and each argument
individually.
Previously, when trashItemAtURL: failed (e.g. on network shares or
under app translocation), the code fell back to constructing an
AppleScript that interpolated the bundle path directly into a string
literal via %@ with no escaping. This was fragile and unnecessary —
trashItemAtURL: has been the standard API since 10.8 and covers the
relevant cases. The fix simply removes the AppleScript fallback
entirely, so Trash() now returns the result of trashItemAtURL: directly.
* fix: validate USB device selection against filtered device list
Previously, UsbChooserController::OnDeviceChosen looked up the chosen
device_id via chooser_context_->GetDeviceInfo(), which searches all
known USB devices on the system rather than the filtered list shown to
the select-usb-device handler. This meant a device excluded by the
renderer's filters or exclusion_filters could still be granted
permission if the handler returned its GUID.
* bump for CI
---------
Co-authored-by: John Kleinschmidt <kleinschmidtorama@gmail.com>
EnterFullscreenModeForTab, RequestPointerLock, and RequestKeyboardLock
bind callbacks with base::Unretained(this); fullscreen also captures a
raw RenderFrameHost*. These callbacks may be invoked by the app's JS
permission handler after the WebContents or RenderFrameHost is destroyed.
Use GetWeakPtr() in all three call sites, and capture a
GlobalRenderFrameHostToken instead of the raw RenderFrameHost* for
fullscreen so the pointer is resolved and null-checked only when the
callback fires. Cancel in-flight permission requests from ~WebContents()
via a new ElectronPermissionManager::CancelPendingRequests()` so stale
callbacks are never handed back to JS.
* feat: add macOS-only api to determine if app is currently active
You can `focus()` the app and get events for `did-become-active`, but there's currently not a way to directly check if your app is the active (foreground) application.
* test: add unit test for app.isActive api
* fix: ensure we hide app after showing in test
If the app is still active, it may affect other tests like dock.bounce
that behave differently depending on whether the app is active
* docs: simplify isActive api description
* feat: show toast dismissal reason on Windows
* Update docs/api/notification.md
Co-authored-by: David Sanders <dsanders11@ucsbalum.com>
---------
Co-authored-by: David Sanders <dsanders11@ucsbalum.com>
fix: bind offscreen paint callback to child WebContents
Previously, MaybeOverrideCreateParamsForNewWindow bound the
OffScreenWebContentsView's paint callback to the parent WebContents
using base::Unretained(this). This was both unsafe (dangling pointer
risk if the parent is destroyed before the child) and semantically
incorrect — paint events belong to the child window, not the opener.
Replace the callback in MaybeOverrideCreateParamsForNewWindow with
base::DoNothing(), then rebind it to the child WebContents in
AddNewContents via a new SetCallback method on OffScreenWebContentsView.
Enter the destination context scope before creating the VideoFrame V8
wrapper, matching the sibling Element and Blob branches. Without this,
ScriptState::ForCurrentRealm resolved to the calling context instead of
the target context, producing an incorrect wrapper.
Also switch to ScriptState::From with an explicit context argument to
make the intent clearer.
Adds spec coverage for VideoFrame crossing the bridge in both
directions and adds VideoFrame to the existing prototype checks.
The setter branch was deriving source_context from getter-> instead of
setter->. Currently latent since the only call site passes both from
the same preload context, but this would crash or mis-resolve if a
future call site passed a setter without a getter or from a different
context.
* test: add failing test for `setFullscreen(false)`
`setFullscreen(false)` should do nothing
when not already in fullscreen, but it hides the menu bar
on Linux.
* fix: menu bar hiding on two setFullScreen(false)
This fixes the following bug on Linux (and maybe macOS):
1. Create a window with a menu bar.
2. Call `win.setFullScreen(false)`.
The menu bar will hide.
See the original bug in our project:
https://github.com/deltachat/deltachat-desktop/issues/4752.
* fix window sizing on linux when constraints are applied
* added tests
* apply window style directly when changing resizability
* Revert "apply window style directly when changing resizability"
This reverts commit 949e2ee2ab80c7786c46609e382965419f2debd0.
* set size constraints for resizability on window and linux
* chore: bump chromium in DEPS to 147.0.7702.0
* chore: update patches (trivial only)
Co-Authored-By: Claude (claude-3-5-sonnet, Anthropic)
* chore: bump chromium in DEPS to 147.0.7703.0
* 7582039: [Extensions] Use dependency injection for ManifestHandlerRegistry
Ref: https://chromium-review.googlesource.com/c/chromium/src/+/7582039
Co-Authored-By: Claude (claude-3-5-sonnet, Anthropic)
* 7582477: spanification: migrate base::ReadUnicodeCharacter usage to string_view
Ref: https://chromium-review.googlesource.com/c/chromium/src/+/7582477
Co-Authored-By: Claude (claude-3-5-sonnet, Anthropic)
* chore: update patches (trivial only)
Co-Authored-By: Claude (claude-3-5-sonnet, Anthropic)
* 7590029: Remove 5 unused deprecated sync methods in ui::Clipboard
Migrate clipboard API calls from synchronous methods to async callback-based
methods with RunLoop pattern.
Ref: https://chromium-review.googlesource.com/c/chromium/src/+/7590029
* 7599553: [rust png] Chromium: Update `png` to version `0.18.1`.
https://chromium-review.googlesource.com/c/chromium/src/+/7599553
Chromium updated their to Rust PNG implementation which produces
different (but valid) PNG output. Update tests to compare raw bitmap
data instead of encoded PNG data URLs.
* test: fixup clipboard tests to properly handle urls
Needed after migrating clipboard API calls from synchronous methods to async callback-based methods with RunLoop pattern.
Ref: https://chromium-review.googlesource.com/c/chromium/src/+/7590029
* fixup "7599553: [rust png] Chromium: Update `png` to version `0.18.1`."
https://chromium-review.googlesource.com/c/chromium/src/+/7599553
Chromium updated their Rust PNG implementation which produces
different (but valid) PNG data URLs.
---------
Co-authored-by: electron-roller[bot] <84116207+electron-roller[bot]@users.noreply.github.com>
Co-authored-by: John Kleinschmidt <kleinschmidtorama@gmail.com>
* guard against window destruction in min/max size checks
* use weakptr to prevent hit test crash on teardown
* revove web contents views during teardown
* fix test failure
* fix other tests
