chore: warn when nodeIntegration's default is relied on (#16004)

atom/browser/web_contents_preferences.cc

@@ -98,6 +98,9 @@ WebContentsPreferences::WebContentsPreferences(
 
   instances_.push_back(this);
 
+  preference_.SetKey(options::kNodeIntegrationWasExplicitlyEnabled,
+                     base::Value(IsEnabled(options::kNodeIntegration)));
+
   // Set WebPreferences defaults onto the JS object
   SetDefaultBoolIfUndefined(options::kPlugins, false);
   SetDefaultBoolIfUndefined(options::kExperimentalFeatures, false);

atom/common/options_switches.cc

@@ -110,6 +110,13 @@ const char kPreloadURL[] = "preloadURL";
 // Enable the node integration.
 const char kNodeIntegration[] = "nodeIntegration";
 
+// Whether node integration was explicitly enabled.
+// This is to support the change from default-enabled to default-disabled in
+// Electron 5 (with a warning message in 4). This option and its usages
+// can be removed in Electron 5.
+const char kNodeIntegrationWasExplicitlyEnabled[] =
+    "nodeIntegrationWasExplicitlyEnabled";
+
 // Enable the remote module
 const char kEnableRemoteModule[] = "enableRemoteModule";
 

atom/common/options_switches.h

@@ -58,6 +58,7 @@ extern const char kZoomFactor[];
 extern const char kPreloadScript[];
 extern const char kPreloadURL[];
 extern const char kNodeIntegration[];
+extern const char kNodeIntegrationWasExplicitlyEnabled[];
 extern const char kEnableRemoteModule[];
 extern const char kContextIsolation[];
 extern const char kGuestInstanceID[];

lib/renderer/security-warnings.js

@@ -249,6 +249,16 @@ const warnAboutAllowedPopups = function () {
   }
 }
 
+const warnAboutNodeIntegrationDefault = function (webPreferences) {
+  if (webPreferences.nodeIntegration && !webPreferences.nodeIntegrationWasExplicitlyEnabled) {
+    const warning = `This window has node integration enabled by default. In ` +
+        `Electron 5.0.0, node integration will be disabled by default. To prepare ` +
+        `for this change, set {nodeIntegration: true} in the webPreferences for ` +
+        `this window.`
+    console.warn('%cElectron Deprecation Warning (nodeIntegration default change)', 'font-weight: bold;', warning)
+  }
+}
+
 // Currently missing since we can't easily programmatically check for it:
 //   #12WebViews: Verify the options and params of all `<webview>` tags
 
@@ -261,6 +271,7 @@ const logSecurityWarnings = function (webPreferences, nodeIntegration) {
   warnAboutEnableBlinkFeatures(webPreferences)
   warnAboutInsecureCSP()
   warnAboutAllowedPopups()
+  warnAboutNodeIntegrationDefault(webPreferences)
 }
 
 const getWebPreferences = function () {