Pchen0/electron

Blink: Plumb correct security origin for isolated world CSPs.

https://chromium-review.googlesource.com/c/chromium/src/+/1395190

deepak1556 6 years ago

parent

2c282203b5

commit

606c84b302

3 changed files with 23 additions and 45 deletions

Split View Show Diff Stats

						
							+ 11
							
							- 35
						
atom/renderer/api/atom_api_web_frame.cc
							 
								View File
							
				@@ -22,6 +22,7 @@
			
				 #include "native_mate/dictionary.h"
			
				 #include "native_mate/object_template_builder.h"
			
				 #include "third_party/blink/public/platform/web_cache.h"
			
				+#include "third_party/blink/public/platform/web_isolated_world_info.h"
			
				 #include "third_party/blink/public/web/web_custom_element.h"
			
				 #include "third_party/blink/public/web/web_document.h"
			
				 #include "third_party/blink/public/web/web_element.h"
			
				@@ -377,46 +378,27 @@ void ExecuteJavaScriptInIsolatedWorld(
			
				       scriptExecutionType, callback.release());
			
				 }
			
				-void SetIsolatedWorldSecurityOrigin(v8::Local<v8::Value> window,
			
				-                                    int world_id,
			
				-                                    const std::string& origin_url) {
			
				-  GetRenderFrame(window)->GetWebFrame()->SetIsolatedWorldSecurityOrigin(
			
				-      world_id, blink::WebSecurityOrigin::CreateFromString(
			
				-                    blink::WebString::FromUTF8(origin_url)));
			
				-}
			
				-
			
				-void SetIsolatedWorldContentSecurityPolicy(v8::Local<v8::Value> window,
			
				-                                           int world_id,
			
				-                                           const std::string& security_policy) {
			
				-  GetRenderFrame(window)->GetWebFrame()->SetIsolatedWorldContentSecurityPolicy(
			
				-      world_id, blink::WebString::FromUTF8(security_policy));
			
				-}
			
				-
			
				-void SetIsolatedWorldHumanReadableName(v8::Local<v8::Value> window,
			
				-                                       int world_id,
			
				-                                       const std::string& name) {
			
				-  GetRenderFrame(window)->GetWebFrame()->SetIsolatedWorldHumanReadableName(
			
				-      world_id, blink::WebString::FromUTF8(name));
			
				-}
			
				-
			
				 void SetIsolatedWorldInfo(v8::Local<v8::Value> window,
			
				                           int world_id,
			
				                           const mate::Dictionary& options,
			
				                           mate::Arguments* args) {
			
				-  std::string origin, csp, name;
			
				-  options.Get("securityOrigin", &origin);
			
				-  options.Get("csp", &csp);
			
				+  std::string origin_url, security_policy, name;
			
				+  options.Get("securityOrigin", &origin_url);
			
				+  options.Get("csp", &security_policy);
			
				   options.Get("name", &name);
			
				-  if (!csp.empty() && origin.empty()) {
			
				+  if (!security_policy.empty() && origin_url.empty()) {
			
				     args->ThrowError(
			
				         "If csp is specified, securityOrigin should also be specified");
			
				     return;
			
				   }
			
				-  SetIsolatedWorldSecurityOrigin(window, world_id, origin);
			
				-  SetIsolatedWorldContentSecurityPolicy(window, world_id, csp);
			
				-  SetIsolatedWorldHumanReadableName(window, world_id, name);
			
				+  blink::WebIsolatedWorldInfo info;
			
				+  info.security_origin = blink::WebSecurityOrigin::CreateFromString(
			
				+      blink::WebString::FromUTF8(origin_url));
			
				+  info.content_security_policy = blink::WebString::FromUTF8(security_policy);
			
				+  info.human_readable_name = blink::WebString::FromUTF8(name);
			
				+  GetRenderFrame(window)->GetWebFrame()->SetIsolatedWorldInfo(world_id, info);
			
				 }
			
				 blink::WebCache::ResourceTypeStats GetResourceUsage(v8::Isolate* isolate) {
			
				@@ -550,12 +532,6 @@ void Initialize(v8::Local<v8::Object> exports,
			
				   dict.SetMethod("executeJavaScript", &ExecuteJavaScript);
			
				   dict.SetMethod("executeJavaScriptInIsolatedWorld",
			
				                  &ExecuteJavaScriptInIsolatedWorld);
			
				-  dict.SetMethod("_setIsolatedWorldSecurityOrigin",
			
				-                 &SetIsolatedWorldSecurityOrigin);
			
				-  dict.SetMethod("_setIsolatedWorldContentSecurityPolicy",
			
				-                 &SetIsolatedWorldContentSecurityPolicy);
			
				-  dict.SetMethod("_setIsolatedWorldHumanReadableName",
			
				-                 &SetIsolatedWorldHumanReadableName);
			
				   dict.SetMethod("setIsolatedWorldInfo", &SetIsolatedWorldInfo);
			
				   dict.SetMethod("getResourceUsage", &GetResourceUsage);
			
				   dict.SetMethod("clearCache", &ClearCache);

						
							+ 6
							
							- 7
						
atom/renderer/atom_render_frame_observer.cc
							 
								View File
							
				@@ -21,6 +21,7 @@
			
				 #include "native_mate/dictionary.h"
			
				 #include "net/base/net_module.h"
			
				 #include "net/grit/net_resources.h"
			
				+#include "third_party/blink/public/platform/web_isolated_world_info.h"
			
				 #include "third_party/blink/public/web/blink.h"
			
				 #include "third_party/blink/public/web/web_document.h"
			
				 #include "third_party/blink/public/web/web_draggable_region.h"
			
				@@ -131,16 +132,14 @@ void AtomRenderFrameObserver::OnDestruct() {
			
				 void AtomRenderFrameObserver::CreateIsolatedWorldContext() {
			
				   auto* frame = render_frame_->GetWebFrame();
			
				-
			
				+  blink::WebIsolatedWorldInfo info;
			
				   // This maps to the name shown in the context combo box in the Console tab
			
				   // of the dev tools.
			
				-  frame->SetIsolatedWorldHumanReadableName(
			
				-      World::ISOLATED_WORLD,
			
				-      blink::WebString::FromUTF8("Electron Isolated Context"));
			
				-
			
				+  info.human_readable_name =
			
				+      blink::WebString::FromUTF8("Electron Isolated Context");
			
				   // Setup document's origin policy in isolated world
			
				-  frame->SetIsolatedWorldSecurityOrigin(
			
				-      World::ISOLATED_WORLD, frame->GetDocument().GetSecurityOrigin());
			
				+  info.security_origin = frame->GetDocument().GetSecurityOrigin();
			
				+  frame->SetIsolatedWorldInfo(World::ISOLATED_WORLD, info);
			
				   // Create initial script context in isolated world
			
				   blink::WebScriptSource source("void 0");

						
							+ 6
							
							- 3
						
lib/renderer/api/web-frame.js
							 
								View File
							
				@@ -53,17 +53,20 @@ class WebFrame extends EventEmitter {
			
				   // TODO(nitsakh): Remove in 6.0
			
				   setIsolatedWorldSecurityOrigin (worldId, securityOrigin) {
			
				     deprecate.warn('webFrame.setIsolatedWorldSecurityOrigin', 'webFrame.setIsolatedWorldInfo')
			
				-    binding._setIsolatedWorldSecurityOrigin(this.context, worldId, securityOrigin)
			
				+    binding.setIsolatedWorldInfo(this.context, worldId, { securityOrigin })
			
				   }
			
				   setIsolatedWorldContentSecurityPolicy (worldId, csp) {
			
				     deprecate.warn('webFrame.setIsolatedWorldContentSecurityPolicy', 'webFrame.setIsolatedWorldInfo')
			
				-    binding._setIsolatedWorldContentSecurityPolicy(this.context, worldId, csp)
			
				+    binding.setIsolatedWorldInfo(this.context, worldId, {
			
				+      securityOrigin: window.location.origin,
			
				+      csp
			
				+    })
			
				   }
			
				   setIsolatedWorldHumanReadableName (worldId, name) {
			
				     deprecate.warn('webFrame.setIsolatedWorldHumanReadableName', 'webFrame.setIsolatedWorldInfo')
			
				-    binding._setIsolatedWorldHumanReadableName(this.context, worldId, name)
			
				+    binding.setIsolatedWorldInfo(this.context, worldId, { name })
			
				   }
			
				 }

Blink: Plumb correct security origin for isolated world CSPs.

+ 11 - 35 atom/renderer/api/atom_api_web_frame.cc View File

+ 6 - 7 atom/renderer/atom_render_frame_observer.cc View File

+ 6 - 3 lib/renderer/api/web-frame.js View File

+ 11 - 35
atom/renderer/api/atom_api_web_frame.cc
View File

+ 6 - 7
atom/renderer/atom_render_frame_observer.cc
View File

+ 6 - 3
lib/renderer/api/web-frame.js
View File