feat: warn when remote is used without enableRemoteModule: true (#21546)

* feat: warn when remote is used without enableRemoteModule: true

* fix security warning

lib/browser/remote/server.ts

@@ -321,7 +321,7 @@ const unwrapArgs = function (sender: electron.WebContents, frameId: number, cont
 
 const isRemoteModuleEnabledImpl = function (contents: electron.WebContents) {
   const webPreferences = (contents as any).getLastWebPreferences() || {}
-  return !!webPreferences.enableRemoteModule
+  return webPreferences.enableRemoteModule != null ? !!webPreferences.enableRemoteModule : true
 }
 
 const isRemoteModuleEnabledCache = new WeakMap()

lib/renderer/api/remote.js

@@ -13,6 +13,15 @@ const remoteObjectCache = v8Util.createIDWeakMap()
 // An unique ID that can represent current context.
 const contextId = v8Util.getHiddenValue(global, 'contextId')
 
+ipcRendererInternal.invoke('ELECTRON_BROWSER_GET_LAST_WEB_PREFERENCES').then(preferences => {
+  console.log(preferences)
+  if (!preferences.enableRemoteModule) {
+    console.warn('%cElectron Deprecation Warning', 'font-weight: bold', "The 'remote' module is deprecated and will be disabled by default in a future version of Electron. To ensure a smooth upgrade and silence this warning, specify {enableRemoteModule: true} in the WebPreferences for this window.")
+  }
+}, (err) => {
+  console.error('Failed to get web preferences:', err)
+})
+
 // Notify the main process when current context is going to be released.
 // Note that when the renderer process is destroyed, the message may not be
 // sent, we also listen to the "render-view-deleted" event in the main process

lib/renderer/security-warnings.ts

@@ -268,7 +268,9 @@ const warnAboutAllowedPopups = function () {
 // Logs a warning message about the remote module
 
 const warnAboutRemoteModuleWithRemoteContent = function (webPreferences?: Electron.WebPreferences) {
-  if (!webPreferences || !webPreferences.enableRemoteModule || isLocalhost()) return
+  if (!webPreferences || isLocalhost()) return
+  const remoteModuleEnabled = webPreferences.enableRemoteModule != null ? !!webPreferences.enableRemoteModule : true
+  if (!remoteModuleEnabled) return
 
   if (getIsRemoteProtocol()) {
     const warning = `This renderer process has "enableRemoteModule" enabled

shell/browser/web_contents_preferences.cc

@@ -174,10 +174,6 @@ WebContentsPreferences::~WebContentsPreferences() {
 }
 
 void WebContentsPreferences::SetDefaults() {
-#if BUILDFLAG(ENABLE_REMOTE_MODULE)
-  SetDefaultBoolIfUndefined(options::kEnableRemoteModule, true);
-#endif
-
   if (IsEnabled(options::kSandbox)) {
     SetBool(options::kNativeWindowOpen, true);
   }
@@ -331,7 +327,7 @@ void WebContentsPreferences::AppendCommandLineSwitches(
 
 #if BUILDFLAG(ENABLE_REMOTE_MODULE)
   // Whether to enable the remote module
-  if (IsEnabled(options::kEnableRemoteModule))
+  if (IsEnabled(options::kEnableRemoteModule, true))
     command_line->AppendSwitch(switches::kEnableRemoteModule);
 #endif