8000 fix: add native function to create preload script by PalmerAL · Pull Request #13032 · electron/electron · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content

fix: add native function to create preload script #13032

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 5 commits into from
Jul 13, 2018
Merged

fix: add native function to create preload script #13032

merged 5 commits into from
Jul 13, 2018

Conversation

PalmerAL
Copy link
Contributor

Fixes #9276.

It looks like file:/// and data: URL's are always able to use eval() regardless of what the CSP is, so I'm not really sure how to add a test for this. I guess a custom protocol might work?

@PalmerAL PalmerAL requested a review from a team May 22, 2018 01:56
@welcome
Copy link
welcome bot commented May 22, 2018

💖 Thanks for opening this pull request! 💖

We use
semantic commit messages
to streamline the release process. Before your pull request can be merged, you
should update your pull request title to start with a semantic prefix,
OR prefix at least one of your commit messages.

Examples of commit messages with semantic prefixes:

  • fix: don't overwrite prevent_default if default wasn't prevented
  • feat: add app.isPackaged() method
  • docs: app.isDefaultProtocolClient is now available on Linux

Things that will help get your PR across the finish line:

  • Follow the JavaScript, C++, and Python coding style.
  • Run npm run lint locally to catch formatting errors earlier.
  • Document any user-facing changes you've made following the documentation styleguide.
  • Include tests when adding/changing behavior.
  • Include screenshots and animated GIFs whenever possible.

We get a lot of pull requests on this repo, so please be patient and we will get back to you as soon as we can.

@codebytere codebytere changed the title add native function to create preload script fix: add native function to create preload script May 25, 2018
@emmkimme emmkimme mentioned this pull request Jun 19, 2018
Closed
@tarruda tarruda self-requested a review June 20, 2018 12:24
tarruda
tarruda suggested changes Jun 20, 2018
View reviewed changes
Copy link
Contributor
@tarruda tarruda left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not really sure how to add a test for this. I guess a custom protocol might work?

One test that you could add is to verify that the preload wrapper function doesn't have access to the local scope where it is executed. In other words, it should behave as eval when it is called as a different name (source):

If you use the eval function indirectly, by invoking it via a reference other than eval, as of ECMAScript 5 it works in the global scope rather than the local scope. This means, for instance, that function declarations create global functions, and that the code being evaluated doesn't have access to local variables within the scope where it's being called.

Other than that, the existing sandbox tests already verify preload is still working.

@tarruda
Copy link
Contributor
tarruda commented Jun 20, 2018

Also, please rebase to ensure everything is working on top of latest master, sandbox loading was changed recently.
10000

PalmerAL
PalmerAL commented Jun 20, 2018
View reviewed changes
spec/webview-spec.js Outdated
@@ -248,6 +248,37 @@ describe('<webview> tag', function () {
})
})

it('runs in the correct context', async () => {
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I didn't see an existing test for the unsandboxed version, but maybe there's one I've missed?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Unsandboxed preload exposes everything by default so it is not needed.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Technically, the test title should be "run in the correct scope". Context denotes the global JS environment, and both the page and preload run in the same context.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@tarruda Fixed!

@PalmerAL
Copy link
Contributor Author

@tarruda can this be merged?

@tarruda
Copy link
Contributor
tarruda commented Jun 27, 2018

@PalmerAL I believe so, but I don't have permissions to merge it. Can you push again to trigger a new CI run? Maybe after all tests are passing it will be merged.

@PalmerAL
Copy link
Contributor Author

The mac failures seem to be because of #13316, everything else is passing.

@PalmerAL
Copy link
Contributor Author
PalmerAL commented Jul 9, 2018

@zcbenz (or someone else) can this be merged?

@zcbenz zcbenz merged commit ffc15e0 into electron:master Jul 13, 2018
@welcome
Copy link
welcome bot commented Jul 13, 2018

Congrats on merging your first pull request! 🎉🎉🎉

@miniak
Copy link
Contributor
miniak commented Aug 18, 2018

@tarruda shouldn't this be backported to 3.0?

7E41
@ckerr ckerr mentioned this pull request Dec 18, 2018
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tarruda tarruda tarruda approved these changes

@zcbenz zcbenz zcbenz approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

preload script cannot be loaded if Content Security Policy is enabled
4 participants
@PalmerAL @tarruda @miniak @zcbenz
0