dee331519c
* fix: disable remote host nodeIntegration warning for localhost In warnAboutNodeWithRemoteContent(), add a check to see if the hostname is "localhost" and prevent the warning message if it is. * fix: disable loading insecure resources warning for localhost In warnAboutInsecureResources(), filter out resources from localhost since they are most likely not a threat. * test: add tests for ignoring security warnings when using localhost Add tests for ignoring warning messages for the following scenarios: 1. node integration with remote content from localhost 2. loading insecure resources from localhost * test: fix insecure resource test * test: pass nodeIntegration with remote test on did-finish-load * test: maybe fix node integration test (error w/ conv circular struct) * test: update test description * test: use "load" event to check when nodeIntegration test has finished Instead of relying on the "did-finish-load" event, which may result in a race condition, add an "onload" handler that logs "loaded" to the console. This will execute _after_ the nodeIntegration check, so it can be safely used as a signal to indicate that the test is done. * test: rename base-page-security-load-message.html * fix: ignore enabled remote module warning for localhost * refactor: add isLocalhost()
257 lines
7.2 KiB
JavaScript
257 lines
7.2 KiB
JavaScript
const chai = require('chai')
|
|
const dirtyChai = require('dirty-chai')
|
|
|
|
const http = require('http')
|
|
const fs = require('fs')
|
|
const path = require('path')
|
|
const url = require('url')
|
|
|
|
const { remote } = require('electron')
|
|
const { BrowserWindow } = remote
|
|
|
|
const { closeWindow } = require('./window-helpers')
|
|
|
|
const { expect } = chai
|
|
chai.use(dirtyChai)
|
|
|
|
describe('security warnings', () => {
|
|
let server
|
|
let w = null
|
|
let useCsp = true
|
|
|
|
before((done) => {
|
|
// Create HTTP Server
|
|
server = http.createServer((request, response) => {
|
|
const uri = url.parse(request.url).pathname
|
|
let filename = path.join(__dirname, './fixtures/pages', uri)
|
|
|
|
fs.stat(filename, (error, stats) => {
|
|
if (error) {
|
|
response.writeHead(404, { 'Content-Type': 'text/plain' })
|
|
response.end()
|
|
return
|
|
}
|
|
|
|
if (stats.isDirectory()) {
|
|
filename += '/index.html'
|
|
}
|
|
|
|
fs.readFile(filename, 'binary', (err, file) => {
|
|
if (err) {
|
|
response.writeHead(404, { 'Content-Type': 'text/plain' })
|
|
response.end()
|
|
return
|
|
}
|
|
|
|
const cspHeaders = { 'Content-Security-Policy': `script-src 'self' 'unsafe-inline'` }
|
|
response.writeHead(200, useCsp ? cspHeaders : undefined)
|
|
response.write(file, 'binary')
|
|
response.end()
|
|
})
|
|
})
|
|
}).listen(8881, () => done())
|
|
})
|
|
|
|
after(() => {
|
|
// Close server
|
|
server.close()
|
|
server = null
|
|
})
|
|
|
|
afterEach(() => {
|
|
useCsp = true
|
|
return closeWindow(w).then(() => { w = null })
|
|
})
|
|
|
|
it('should warn about Node.js integration with remote content', (done) => {
|
|
w = new BrowserWindow({
|
|
show: false,
|
|
webPreferences: {
|
|
nodeIntegration: true
|
|
}
|
|
})
|
|
w.webContents.once('console-message', (e, level, message) => {
|
|
expect(message).to.include('Node.js Integration with Remote Content')
|
|
done()
|
|
})
|
|
|
|
w.loadURL(`http://127.0.0.1:8881/base-page-security.html`)
|
|
})
|
|
|
|
it('should not warn about Node.js integration with remote content from localhost', (done) => {
|
|
w = new BrowserWindow({
|
|
show: false,
|
|
webPreferences: {
|
|
nodeIntegration: true
|
|
}
|
|
})
|
|
w.webContents.once('console-message', (e, level, message) => {
|
|
expect(message).to.not.include('Node.js Integration with Remote Content')
|
|
|
|
if (message === 'loaded') {
|
|
done()
|
|
}
|
|
})
|
|
|
|
w.loadURL(`http://localhost:8881/base-page-security-onload-message.html`)
|
|
})
|
|
|
|
const generateSpecs = (description, webPreferences) => {
|
|
describe(description, () => {
|
|
it('should warn about disabled webSecurity', (done) => {
|
|
w = new BrowserWindow({
|
|
show: false,
|
|
webPreferences: {
|
|
webSecurity: false,
|
|
...webPreferences
|
|
}
|
|
})
|
|
w.webContents.once('console-message', (e, level, message) => {
|
|
expect(message).to.include('Disabled webSecurity')
|
|
done()
|
|
})
|
|
|
|
w.loadURL(`http://127.0.0.1:8881/base-page-security.html`)
|
|
})
|
|
|
|
it('should warn about insecure Content-Security-Policy', (done) => {
|
|
w = new BrowserWindow({
|
|
show: false,
|
|
webPreferences: {
|
|
enableRemoteModule: false,
|
|
...webPreferences
|
|
}
|
|
})
|
|
|
|
w.webContents.once('console-message', (e, level, message) => {
|
|
expect(message).to.include('Insecure Content-Security-Policy')
|
|
done()
|
|
})
|
|
|
|
useCsp = false
|
|
w.loadURL(`http://127.0.0.1:8881/base-page-security.html`)
|
|
})
|
|
|
|
it('should warn about allowRunningInsecureContent', (done) => {
|
|
w = new BrowserWindow({
|
|
show: false,
|
|
webPreferences: {
|
|
allowRunningInsecureContent: true,
|
|
...webPreferences
|
|
}
|
|
})
|
|
w.webContents.once('console-message', (e, level, message) => {
|
|
expect(message).to.include('allowRunningInsecureContent')
|
|
done()
|
|
})
|
|
|
|
w.loadURL(`http://127.0.0.1:8881/base-page-security.html`)
|
|
})
|
|
|
|
it('should warn about experimentalFeatures', (done) => {
|
|
w = new BrowserWindow({
|
|
show: false,
|
|
webPreferences: {
|
|
experimentalFeatures: true,
|
|
...webPreferences
|
|
}
|
|
})
|
|
w.webContents.once('console-message', (e, level, message) => {
|
|
expect(message).to.include('experimentalFeatures')
|
|
done()
|
|
})
|
|
|
|
w.loadURL(`http://127.0.0.1:8881/base-page-security.html`)
|
|
})
|
|
|
|
it('should warn about enableBlinkFeatures', (done) => {
|
|
w = new BrowserWindow({
|
|
show: false,
|
|
webPreferences: {
|
|
enableBlinkFeatures: ['my-cool-feature'],
|
|
...webPreferences
|
|
}
|
|
})
|
|
w.webContents.once('console-message', (e, level, message) => {
|
|
expect(message).to.include('enableBlinkFeatures')
|
|
done()
|
|
})
|
|
|
|
w.loadURL(`http://127.0.0.1:8881/base-page-security.html`)
|
|
})
|
|
|
|
it('should warn about allowpopups', (done) => {
|
|
w = new BrowserWindow({
|
|
show: false,
|
|
webPreferences
|
|
})
|
|
w.webContents.once('console-message', (e, level, message) => {
|
|
expect(message).to.include('allowpopups')
|
|
done()
|
|
})
|
|
|
|
w.loadURL(`http://127.0.0.1:8881/webview-allowpopups.html`)
|
|
})
|
|
|
|
it('should warn about insecure resources', (done) => {
|
|
w = new BrowserWindow({
|
|
show: false,
|
|
webPreferences
|
|
})
|
|
w.webContents.once('console-message', (e, level, message) => {
|
|
expect(message).to.include('Insecure Resources')
|
|
done()
|
|
})
|
|
|
|
w.loadURL(`http://127.0.0.1:8881/insecure-resources.html`)
|
|
w.webContents.openDevTools()
|
|
})
|
|
|
|
it('should not warn about loading insecure-resources.html from localhost', (done) => {
|
|
w = new BrowserWindow({
|
|
show: false,
|
|
webPreferences
|
|
})
|
|
w.webContents.once('console-message', (e, level, message) => {
|
|
expect(message).to.not.include('insecure-resources.html')
|
|
done()
|
|
})
|
|
|
|
w.loadURL(`http://localhost:8881/insecure-resources.html`)
|
|
w.webContents.openDevTools()
|
|
})
|
|
|
|
it('should warn about enabled remote module with remote content', (done) => {
|
|
w = new BrowserWindow({
|
|
show: false,
|
|
webPreferences
|
|
})
|
|
w.webContents.once('console-message', (e, level, message) => {
|
|
expect(message).to.include('enableRemoteModule')
|
|
done()
|
|
})
|
|
|
|
w.loadURL(`http://127.0.0.1:8881/base-page-security.html`)
|
|
})
|
|
|
|
it('should not warn about enabled remote module with remote content from localhost', (done) => {
|
|
w = new BrowserWindow({
|
|
show: false,
|
|
webPreferences
|
|
})
|
|
w.webContents.once('console-message', (e, level, message) => {
|
|
expect(message).to.not.include('enableRemoteModule')
|
|
|
|
if (message === 'loaded') {
|
|
done()
|
|
}
|
|
})
|
|
|
|
w.loadURL(`http://localhost:8881/base-page-security-onload-message.html`)
|
|
})
|
|
})
|
|
}
|
|
|
|
generateSpecs('without sandbox', {})
|
|
generateSpecs('with sandbox', { sandbox: true })
|
|
})
|