JavaScript: Add experimental Electron queries #4818
Conversation
There was a problem hiding this comment.
Hi 👋
Thanks for the contribution!
This is very similar to the EnablingNodeIntegration query, so it would be a good idea to take a look at that.
In particular, you can use the Electron::WebPreferences class to find the webPreferences object passed to new BrowserWindow() instead of just flagging all properties named sandbox or contextIsolation. The problem with flagging all properties of that name is that it can produce FPs if they occur in a context that has nothing to do with Electron.
| Context isolation is an Electron feature that ensures that rendered website | ||
| is running in different JavaScript context than both preload scripts and Electron's | ||
| internal logic. |
There was a problem hiding this comment.
| Context isolation is an Electron feature that ensures that rendered website | |
| is running in different JavaScript context than both preload scripts and Electron's | |
| internal logic. | |
| Context isolation is an Electron feature that ensures that a rendered website | |
| is running in a different JavaScript context than both preload scripts and Electron's | |
| internal logic. |
| Disabling the Context Isolation is strongly discouraged as it could enable | ||
| website to escalate its privileges and access internal Electron APIs. |
There was a problem hiding this comment.
| Disabling the Context Isolation is strongly discouraged as it could enable | |
| website to escalate its privileges and access internal Electron APIs. | |
| Disabling context isolation is strongly discouraged as it could enable | |
| website to escalate its privileges and access internal Electron APIs. |
| Context Isolation is enabled by default from Electron 12, in lower versions | ||
| it has to be enabled manually. |
There was a problem hiding this comment.
| Context Isolation is enabled by default from Electron 12, in lower versions | |
| it has to be enabled manually. | |
| Context isolation is enabled by default from Electron 12 and up, but in lower versions | |
| it has to be enabled manually. |
| @@ -0,0 +1,22 @@ | |||
| /** | |||
| * @name Disabling Context Isolation in Electron | |||
| * @description Disabling Context Isolation can enable website to escalate its privileges and access internal Electron APIs. | |||
There was a problem hiding this comment.
| * @description Disabling Context Isolation can enable website to escalate its privileges and access internal Electron APIs. | |
| * @description Disabling context isolation can enable website to escalate its privileges and access internal Electron APIs. |
|
|
||
| // TODO: Below Electron 12 the Context Isolation needs to be enabled manually. | ||
| // If there is reliable way to determine Electron version, this query | ||
| // could be extended to check this case. |
There was a problem hiding this comment.
Maybe the "engines" property in package.json could help here? You can use the PackageJSON class to get to it.
|
Closing the PR due to staleness, but feel free to reopen if you wish to resume work on it. |
I am proposing addition of two trivial queries into experimental for JavaScript/TypeScript. More work should be done on those in the future as mentioned in TODO comments. I'll appreciate any feedback, thank you!