* refactor: clean up webFrame implementation to use gin wrappers
The previous implementation of webFrame in the renderer process leaked
sub-frame contexts and global objects across the context boundaries thus
making it possible for apps to either maliciously or accidentally
violate the contextIsolation boundary.
This re-implementation binds all methods in native code directly to
content::RenderFrame instances instead of relying on JS to provide a
"window" with every method request. This is much more consistent with
the rest of the Electron codebase and is substantially safer.
* chore: un-re-order for ease of review
* chore: pass isolate around instead of ErrorThrower
* chore: fix rebase typo
* chore: remove unused variables
* chore: add types for electron_renderer_web_frame binding
* chore: use keyof for getWebPreference type
Co-authored-by: Samuel Attard <sattard@slack-corp.com>
* initial commit, mac implementation
* add documentation
* convert createThumbnailFromPath to async function
* windows impl protoype
* add tests
* added test
* fix
* fix test
* clean up
* update docs
* cleaning up code
* fix test
* retrigger CI
* retrigger CI
* refactor from app to native_image
* windows build
* lint
* lint
* add smart pointers, fix test
* change tests and update docs
* fix test, remove nolint
* add renderer-main process routing to fix tests
* lint
* thanks sam
* thanks sam
* feat: add worldSafe flag for executeJS results
* chore: do not log warning for webContents.executeJS
* Apply suggestions from code review
Co-authored-by: Jeremy Rose <jeremya@chromium.org>
* chore: apply PR feedback
* chore: split logic a bit
* chore: allow primitives through the world safe checl
* chore: clean up per PR feedback
* chore: flip boolean logic
* chore: update per PR feedback
* chore: fix typo
* chore: fix spec
Co-authored-by: Jeremy Rose <jeremya@chromium.org>
We weren't serializing nativeImages properly in the remote module, leading to gin conversion errors when trying to, for example, create a new context menu in the renderer with icons using nativeImage. This fixes that by adding a new special case to handle them.
There are use cases of webview where the container holding the webview is not
actually destroyed first, instead just webview gets removed from DOM, in such
situations the browser process map is not updated accordingly and holds reference
to stale guest contents, and any window operations like scroll, resize or keyboard
events that has to chain through browser embedder will lead to UAF crash.
Ref: https://github.com/microsoft/vscode/issues/92420
* refactor: port window.open and window.opener to use ctx bridge instead of hole punching
* refactor: only run the isolated init bundle when webview is enabled
* fix: remove bad usages of for-in and guard against it
* Apply suggestions from code review
Co-Authored-By: Samuel Maddock <samuel.maddock@gmail.com>
* Apply suggestions from code review
Co-Authored-By: Jeremy Apthorp <jeremya@chromium.org>
* Update remote.js
Co-authored-by: Samuel Maddock <samuel.maddock@gmail.com>
Co-authored-by: Jeremy Apthorp <jeremya@chromium.org>
* feat: add a new contextBridge module
* chore: fix docs linting
* feat: add support for function arguments being proxied
* chore: ensure that contextBridge can only be used when contextIsolation is enabled
* docs: getReverseBinding can be null
* docs: fix broken links in md file
* feat: add support for promises in function parameters
* fix: linting failure for explicit constructor
* Update atom_api_context_bridge.cc
* chore: update docs and API design as per feedback
* refactor: remove reverse bindings and handle GC'able functions across the bridge
* chore: only expose debugGC in testing builds
* fix: do not proxy promises as objects
* spec: add complete spec coverage for contextBridge
* spec: add tests for null/undefined and the anti-overwrite logic
* chore: fix linting
* spec: add complex nested back-and-forth function calling
* fix: expose contextBridge in sandboxed renderers
* refactor: improve security of default_app using the new contextBridge module
* s/bindAPIInMainWorld/exposeInMainWorld
* chore: sorry for this commit, its a big one, I fixed like everything and refactored a lot
* chore: remove PassedValueCache as it is unused now
Values transferred from context A to context B are now cachde in the RenderFramePersistenceStore
* chore: move to anonymous namespace
* refactor: remove PassValueToOtherContextWithCache
* chore: remove commented unused code blocks
* chore: remove .only
* chore: remote commented code
* refactor: extract RenderFramePersistenceStore
* spec: ensure it works with numbered keys
* fix: handle number keys correctly
* fix: sort out the linter
* spec: update default_app asar spec for removed file
* refactor: change signatures to return v8 objects directly rather than the mate dictionary handle
* refactor: use the v8 serializer to support cloneable buffers and other object types
* chore: fix linting
* fix: handle hash collisions with a linked list in the map
* fix: enforce a recursion limit on the context bridge
* chore: fix linting
* chore: remove TODO
* chore: adapt for PR feedback
* chore: remove .only
* chore: clean up docs and clean up the proxy map when objects are released
* chore: ensure we cache object values that are cloned through the V8 serializer
