8000 webview.preload fails when webSecurity is disabled · Issue #5719 · electron/electron · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content

webview.preload fails when webSecurity is disabled #5719

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
romaincointepas opened this issue May 26, 2016 · 11 comments
Closed

webview.preload fails when webSecurity is disabled #5719

romaincointepas opened this issue May 26, 2016 · 11 comments

Comments

@romaincointepas
Copy link
  • Electron version: 1.2.0
  • Operating system: OS X 10.11.5

webview preload attribute seems to be broken in Electron 1.2.0/Chrome 51 (worked with 1.1.3/Chrome 50).

Here is how I used it (successfully) on versions prior to 1.2.0:
@webview.preload = "file://#{app.getAppPath()}/js/player-preload.js"

Tried to put it in the HTML webview tag directly as attribute, same thing.

Note: No error in the Console though, it's just that the script is never actually executed.
@kevinsawicki
Copy link
Contributor

@romaincointepas can you share the options you are passing to the BrowserWindow constructor for the window containing the webview?

@romaincointepas
Copy link
Author

Sure, here it is:

win = new BrowserWindow(
    x: winState.x
    y: winState.y
    width: winState.width
    height: winState.height
    show: false
    backgroundColor: '#101010'
    titleBarStyle: 'hidden'
    webPreferences:
      plugins: true
      allowDisplayingInsecureContent: true
  )

@kevinsawicki
Copy link
Contributor

Hmm, having trouble reproducing this with the following app:

main.js

const {app, BrowserWindow} = require('electron')
let window
app.on('ready', function () {
  window = new BrowserWindow({
    width: 200,
    height: 200,
    show: true
  })
  window.loadURL('file://' + __dirname + '/page.html')
})

page.html

<body>
  <webview preload="preload.js" src="wv.html" style="display:inline-flex; width:640px; height:480px"></webview>
</body>

wv.html

<body>
  <script>document.write('preload time? ' + window.preloaded)</script>
</body>

preload.js

window.preloaded = Date.now()

It currently shows the value at launch, any differences in your app that you can think of that might help me reproduce this?

@romaincointepas
Copy link
Author

How do you not get the error Only "file:" protocol is supported in "preload" attribute. in the Console when not using file: in the preload attribute?

@kevinsawicki
Copy link
Contributor

How do you not get the error Only "file:" protocol is supported in "preload" attribute. in the Console when not using file: in the preload attribute?

Not sure, do you have any other attributes set on your <webview> tag?

@romaincointepas
Copy link
Author
romaincointepas commented May 26, 2016
edited
Loading 
<webview id="player-webview" src="data:text/plain,_" preload="preload.js" disablewebsecurity plugins></webview>

src="data:text/plain,_" seems to be the problem, weird. When I remove it, no error in the console.

Also definitely worth noting, the BrowserWindow is loading a remote html page that has the webview tag (that's why I use app.getAppPath(), as the preload script is local).

@kjlaw89
Copy link
kjlaw89 commented May 27, 2016

I'm running into this same issue. I ran a few tests and determined a few things:

  1. It appears setting "disablewebsecurity" kills the preload scripts. In my case I have to set this flag if I want to be able to load PDFs in my application (though I'm working on a more native way to do this but haven't figured one out yet)
  2. When I get rid of disablewebsecurity the preload script starts working again, but some web requests fail to go through. i.e., clicking a link on a website does nothing. When disablewebsecurity is active, the preload scripts don't load but I can navigate around just fine.

@kjlaw89
Copy link
kjlaw89 commented May 27, 2016

Okay, I did a little extra research and can elaborate more on #2. When disablewebsecurity is removed, the preload script will load and execute just fine. It appears that using remote.getGlobal at any point (and apparently just a normal alert()) will keep the page from following any links. You don't even need to do anything with the global variable you got, you just need to pull one in for page navigation to break.

I verified that the browser does still recognize the attempt to navigate as I'm watching session.webRequest.onBeforeSendHeaders and it does show the URL/Headers of the link I clicked, but it never navigates or loads any of the resources.

@marbemac
Copy link

We can confirm the same behavior @kjlaw89 is describing. Preload script breaks/doesn't load in 1.2 when webSecurity is set to false.

@kevinsawicki kevinsawicki changed the title webview.preload broken in Electron 1.2.0? webview.preload broken when webSecurity is disabled May 27, 2016
@kevinsawicki kevinsawicki changed the title webview.preload broken when webSecurity is disabled webview.preload fails when webSecurity is disabled May 27, 2016
@kevinsawicki
Copy link
Contributor

This looks similar to #5712 where webSecurity affects script loading

@zcbenz
Copy link
Contributor
zcbenz commented May 30, 2016

I'm merging this to #5712 since they are essentially the same bug.

@zcbenz zcbenz closed this as completed May 30, 2016
@kjlaw89 kjlaw89 mentioned this issue May 31, 2016
Closed
@kevinsawicki kevinsawicki mentioned this issue Jun 1, 2016
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@zcbenz @kevinsawicki @romaincointepas @marbemac @kjlaw89
0