* refactor: clean up webFrame implementation to use gin wrappers
The previous implementation of webFrame in the renderer process leaked
sub-frame contexts and global objects across the context boundaries thus
making it possible for apps to either maliciously or accidentally
violate the contextIsolation boundary.
This re-implementation binds all methods in native code directly to
content::RenderFrame instances instead of relying on JS to provide a
"window" with every method request. This is much more consistent with
the rest of the Electron codebase and is substantially safer.
* chore: un-re-order for ease of review
* chore: pass isolate around instead of ErrorThrower
* chore: fix rebase typo
* chore: remove unused variables
* Use std::forward_list instead of base::LinkedList for better perf,
more consistent memory management. Better than std::list because we
don't need the double-linked-list behavior of std::list
* Use std::unordered_map instead of std::map for the v8 hash table
base::LinkedList does not delete its members on destruction. We need to
manually ensure the linkedlist is empty when the ObjectCache is
destroyed.
Fixes#27039
Notes: Fixed memory leak when sending non-primitives over the context
bridge
* feat: enable world safe JS by default
* refactor: use the ctx bridge to send executeJavaScript results in a world safe way
* docs: add more info about the breaking change
* include default in IsEnabled check
* chore: bump chromium in DEPS to 1d6b29cd85c1c3cba093b8b69b2727cc26eaac97
* update patches
* chore: use 'libvulkan.so.1' in the linux manifests
CL: https://chromium-review.googlesource.com/c/angle/angle/+/2538430
Upstream renamed libvulkan.so to libvulkan.so.1, so sync our manifests.
* chore: update expected window-open default policy.
CL: https://chromium-review.googlesource.com/c/chromium/src/+/2429247
Upstream CL contiues the work to make `strict-origin-when-cross-origin`
the default referrer policy. This commit changes our window-open tests
to expect that policy over the previous `no-referrer-when-downgrade`.
* chore: bump chromium in DEPS to 69cb7c65ad845cdab1cd5f4256237e72fceba2dd
* chore: re-export chromium patches
No code changes; just line numbers. `git am` failed because the upstream
changes were just large enough to require patching to fail w/o fuzzing.
The broken patch was
patches/chromium/feat_allow_disabling_blink_scheduler_throttling_per_renderview.patch
* update patches
* chore: bump chromium in DEPS to c6d97a240d30e5f5166856f5ae6ee14d95b9a4f0
* update patches
* fixup! chore: update expected window-open default policy.
* chore: disallow copying CppHeapCreateParams
Experimental commit to resolve FTBS https://ci.appveyor.com/project/electron-bot/electron-ljo26/builds/36405680#L25345
which introduces a new struct CppHeapCreateParams that aggregates a
vector of unique_ptrs. Our Windows CI is unhappy that this struct
implicitly deletes its copy ctor, so this commit makes it explicit.
Xref: https://chromium-review.googlesource.com/c/v8/v8/+/2536642
* update patches
* chore: bump chromium in DEPS to 0df9a85ffa0ad4711b41a089842e40b87ba88055
* update patches
* fixup! chore: bump chromium to ac06d6903a2c981ab90a8162f1ba0 (master) (#26499)
* chore: update calls to gfx::RemoveAcceleratorChar.
The call signature for gfx::RemoveAccelerator changed in
https://chromium-review.googlesource.com/c/chromium/src/+/2546471 .
This commit updates use to match that.
* chore: bump chromium in DEPS to 43d6c496251e08d3781bfadbe9727688551f74a9
* update patches
* chore: bump chromium in DEPS to 1fb5c9825be4e2271c4fef0e802f5d970b32f62f
* update patches
* chore: bump chromium in DEPS to 8a1f078d67825e727a598b89a8924699df8d3850
* chore: bump chromium in DEPS to 28ff715b3a97d8cedc143bad671edb08b6de5fc2
* chore: update patches
* Remove most service manifest remnants from Content
https://chromium-review.googlesource.com/c/chromium/src/+/2296482
* Reland "Portals: Fix a11y for orphaned portals"
https://chromium-review.googlesource.com/c/chromium/src/+/2542812
* Convert CallbackList::Subscription to a standalone class.
https://chromium-review.googlesource.com/c/chromium/src/+/2522860
* fix: actually apply the zlib patch
* chore: bump chromium in DEPS to 75b464e6357190ca302ba9ce8f8c2bf5a3b709ae
* chore: update patches
* chore: bump chromium@b884b9b2f647c59a75f5d2055030afa33d50ca10
* chore: bump chromium in DEPS to 829261dadcefdc54ce5fdf7c5fac2929786a63ce
* chore: bump chromium in DEPS to 5df3e69605c7c0130374aaccb91fc4726a558db2
* chore: bump chromium in DEPS to 22db748d5b7b90f87e6e97ef4c92a727ac753ea4
* chore: bump chromium in DEPS to 1475df80282b7eeeb0e153d8375bfe651f083bf8
* chore: bump chromium in DEPS to 6d34fe9e9b7386edd90574617bfa4008de972d72
* chore: update patches
* Disable CertVerifierService for now
2559260: Enable CertVerifierService by default | https://chromium-review.googlesource.com/c/chromium/src/+/2559260
* Remove force_ignore_site_for_cookies until we figure out what to do instead
2499162: Remove |force_ignore_site_for_cookies| from IPCs (e.g. ResourceRequest). | https://chromium-review.googlesource.com/c/chromium/src/+/2499162
* chore: bump chromium in DEPS to 95aeb1c59ebc03d19ba077b0cd707463d1b2865e
* update patches
* Set site_for_cookies to request url so that URLLoader::ShouldForceIgnoreSiteForCookies returns true
* 2490383: a11y inspect reorg: implement accessible tree formatter factory
https://chromium-review.googlesource.com/c/chromium/src/+/2490383
* 2485887: [Extensions][web_accessible_resources] Use |matches|.
https://chromium-review.googlesource.com/c/chromium/src/+/2485887
* update v8 headers
* chore: bump chromium in DEPS to 38587dc379a8cf4d4a13e482a6e89f2fe681144e
* update patches
* 2555005: [api] Simplify ScriptOrigin
https://chromium-review.googlesource.com/c/v8/v8/+/2555005
* 2563553: Remove Flash from PermissionRequestTypes and PermissionTypes.
https://chromium-review.googlesource.com/c/chromium/src/+/2563553
* 2546146: Remove browser-hosted InterfaceProvider
https://chromium-review.googlesource.com/c/chromium/src/+/2546146
* Actually apply nan patch
* update patches
* chore: bump chromium in DEPS to 6718d4b50c9db975c5642ca5b68e8dc7ee1b7615
* update patches
* 2546146: Remove browser-hosted InterfaceProvider
https://chromium-review.googlesource.com/c/chromium/src/+/2546146
* chore: bump chromium in DEPS to 338cc300e3fe3a4cb4883e9ccdc34a32f3dfe034
* chore: bump chromium in DEPS to d9baeb1d192c23ceb1e1c4bbe6af98380b263bc1
* chore: bump chromium in DEPS to 3ca3051932683739b304e721cc394b6c66f841fe
* chore: bump chromium in DEPS to 89292a4ae29096e5313aaf19dfa0c4710145c34d
* 2571639: mac: Remove code to support OS X 10.10 in //sandbox
https://chromium-review.googlesource.com/c/chromium/src/+/2571639
* Fixup patch indices
* Do not build MTLManagedObjectAdapter
It's been removed in newer Mantle versions and uses a deprecated enum
* update patches
* Remove sendToAll
https://github.com/electron/electron/pull/26771
* 2569367: Remove dead fullscreen code in RenderWidgetHostView and friends
https://chromium-review.googlesource.com/c/chromium/src/+/2569367
* Remove deprecated performFileOperation usage
* 2568359: mac: Ignore Wdeprecated-declarations for LSSharedFileList* functions.
https://chromium-review.googlesource.com/c/chromium/src/+/2568359
* 2561401: Add OutputPresenterX11 which uses X11 present extension.
https://chromium-review.googlesource.com/c/chromium/src/+/2561401
* 2565511: [objects] Remove MakeExternal case for uncached internal strings
https://chromium-review.googlesource.com/c/v8/v8/+/2565511
* fixup: Add disconnect logic to ElectronBrowserHandlerImpl
* Allow local networking override for ATS
https://developer.apple.com/library/archive/documentation/General/Reference/InfoPlistKeyReference/Articles/CocoaKeys.html
* Refactor: clean up rfh getters in ElectronBrowserHandlerImpl
* Update patches
* Remove unneeded BindTo
* Don't assign ElectronBrowserHandlerImpl at all
Co-authored-by: Charles Kerr <charles@charleskerr.com>
Co-authored-by: deepak1556 <hop2deep@gmail.com>
Co-authored-by: John Kleinschmidt <jkleinsc@github.com>
Co-authored-by: Shelley Vohr <shelley.vohr@gmail.com>
Co-authored-by: John Kleinschmidt <jkleinsc@electronjs.org>
* feat: add worldSafe flag for executeJS results
* chore: do not log warning for webContents.executeJS
* Apply suggestions from code review
Co-authored-by: Jeremy Rose <jeremya@chromium.org>
* chore: apply PR feedback
* chore: split logic a bit
* chore: allow primitives through the world safe checl
* chore: clean up per PR feedback
* chore: flip boolean logic
* chore: update per PR feedback
* chore: fix typo
* chore: fix spec
Co-authored-by: Jeremy Rose <jeremya@chromium.org>
* perf: do not convert object keys in ctx bridge as they are always primitives
* Update shell/renderer/api/electron_api_context_bridge.cc
Co-authored-by: Jeremy Rose <jeremya@chromium.org>
Co-authored-by: Jeremy Rose <jeremya@chromium.org>
* refactor: port window.open and window.opener to use ctx bridge instead of hole punching
* refactor: only run the isolated init bundle when webview is enabled
* fix(extensions): set lowest isolated world id
* refactor: move world IDs into separate header file
Several files are including electron_render_frame_observer.h just for the world IDs.
* refactor: use gin in Promise
* refactor: separate Promise impl that returns nothing
* refactor: use Promise<void> for promise that returns nothing
* fix: methods should be able to run on both browser and renderer process
* fix: should not pass base::StringPiece across threads
* refactor: no more need to use different ResolvePromise for empty Promise
* refactor: move Promise to gin_helper
* refactor: remove a few uses of native_mate/gfx_converter.h
* refactor: deprecate mate::EventEmitter
* refactor: add gin_helper::EventEmitter
* refactor: convert a few classes to use gin_helper::EventEmitter
* refactor: get rid of native_mate_converters/gfx_converter.h
* fix: follow native_mate on reporting errors
* fix: gin is weak at guessing parameter types
* fix: incorrect full class name
* fix: gin::Handle does not accept null
* feat: add a new contextBridge module
* chore: fix docs linting
* feat: add support for function arguments being proxied
* chore: ensure that contextBridge can only be used when contextIsolation is enabled
* docs: getReverseBinding can be null
* docs: fix broken links in md file
* feat: add support for promises in function parameters
* fix: linting failure for explicit constructor
* Update atom_api_context_bridge.cc
* chore: update docs and API design as per feedback
* refactor: remove reverse bindings and handle GC'able functions across the bridge
* chore: only expose debugGC in testing builds
* fix: do not proxy promises as objects
* spec: add complete spec coverage for contextBridge
* spec: add tests for null/undefined and the anti-overwrite logic
* chore: fix linting
* spec: add complex nested back-and-forth function calling
* fix: expose contextBridge in sandboxed renderers
* refactor: improve security of default_app using the new contextBridge module
* s/bindAPIInMainWorld/exposeInMainWorld
* chore: sorry for this commit, its a big one, I fixed like everything and refactored a lot
* chore: remove PassedValueCache as it is unused now
Values transferred from context A to context B are now cachde in the RenderFramePersistenceStore
* chore: move to anonymous namespace
* refactor: remove PassValueToOtherContextWithCache
* chore: remove commented unused code blocks
* chore: remove .only
* chore: remote commented code
* refactor: extract RenderFramePersistenceStore
* spec: ensure it works with numbered keys
* fix: handle number keys correctly
* fix: sort out the linter
* spec: update default_app asar spec for removed file
* refactor: change signatures to return v8 objects directly rather than the mate dictionary handle
* refactor: use the v8 serializer to support cloneable buffers and other object types
* chore: fix linting
* fix: handle hash collisions with a linked list in the map
* fix: enforce a recursion limit on the context bridge
* chore: fix linting
* chore: remove TODO
* chore: adapt for PR feedback
* chore: remove .only
* chore: clean up docs and clean up the proxy map when objects are released
* chore: ensure we cache object values that are cloned through the V8 serializer
* refactor: use v8 serialization for ipc
* cloning process.env doesn't work
* serialize host objects by enumerating key/values
* new serialization can handle NaN, Infinity, and undefined correctly
* can't allocate v8 objects during GC
* backport microtasks fix
* fix compile
* fix node_stream_loader reentrancy
* update subframe spec to expect undefined instead of null
* write undefined instead of crashing when serializing host objects
* fix webview spec
* fix download spec
* buffers are transformed into uint8arrays
* can't serialize promises
* fix chrome.i18n.getMessage
* fix devtools tests
* fix zoom test
* fix debug build
* fix lint
* update ipcRenderer tests
* fix printToPDF test
* update patch
* remove accidentally re-added remote-side spec
* wip
* don't attempt to serialize host objects
* jump through different hoops to set options.webContents sometimes
* whoops
* fix lint
* clean up error-handling logic
* fix memory leak
* fix lint
* convert host objects using old base::Value serialization
* fix lint more
* fall back to base::Value-based serialization
* remove commented-out code
* add docs to breaking-changes.md
* Update breaking-changes.md
* update ipcRenderer and WebContents docs
* lint
* use named values for format tag
* save a memcpy for ~30% speedup
* get rid of calls to ShallowClone
* extra debugging for paranoia
* d'oh, use the correct named tags
* apparently msstl doesn't like this DCHECK
* funny story about that DCHECK
* disable remote-related functions when enable_remote_module = false
* nits
* use EnableIf to disable remote methods in mojom
* fix include
* review comments
* deprecate native_mate/native_mate/object_template_builder.h
* add gin_helper/object_template_builder.h
* add patch to avoid ambiguous error
* remove usage of object_template_builder_deprecated.h in a few files
* add note we should remove gin_helper/object_template_builder.h in future
* refactor: fix clang-tidy vector operation warnings
Fix vector population performance-inefficient-vector-operation warnings
generated by clang-tidy
* refactor: fix clang-tidy emplace_back warnings
In cases where a temporary is created to be passed
to push_back(), replace it with emplace_back().
Warning: modernize-use-emplace
* refactor: fix clang-tidy loop iteration warnings
When practical, use range-based for loops instead of C-style for loops.
clang-tiny check: modernize-loop-convert
* refactor: fix clang-tidy string initialize warning
Remove redundant empty string initialization.
clang-tidy check: readability-redundant-string-init
* use gin converter in atom_api_menu
* please only put necessary includes in header
Having include in header means they have dependency relationship,
putting arbitrary includes really really really really really makes
refacoring much harder.
* remove some simple uses of callback_converter_deprecated.h
* use gin callback converter in file_dialog code
* use gin in ErrorThrower
* use gin in atom_bundle_mover
* fix mistake in node stream
* deprecate native_mate version of event_emitter_caller
* use gin in node_bindings
* remove usages of native_mate event_emitter_caller.h except for EventEmitter
* fix compilation on Windows
* gin::Arguments behaves differently on GetNext
* just use StringToV8
* add notice to files being removed
* add gin version of function_template.h
* rename callback.h to avoid confliction
* add gin version of callback_converter
* add gin converter for OnceCallback
* remove callback_converter_gin_adapter.h
* remove gin_util.h and gin_utils.h
* fix lint warning
* add helper for setting methods
* refactor: make util::Promise type safe when chaining in native
* fixup! refactor: make util::Promise type safe when chaining in native
* chore: remove spare brackets