fix: do not enable node integration in child window if not enabled (#15109)

atom/browser/web_contents_preferences.cc

@@ -336,6 +336,11 @@ void WebContentsPreferences::OverrideWebkitPrefs(
   std::string encoding;
   if (self->web_preferences_.GetString("defaultEncoding", &encoding))
     prefs->default_encoding = encoding;
+
+  bool node_integration = false;
+  self->web_preferences_.GetBoolean(options::kNodeIntegration,
+                                    &node_integration);
+  prefs->node_integration = node_integration;
 }
 
 bool WebContentsPreferences::GetInteger(const std::string& attributeName,

atom/renderer/atom_renderer_client.cc

@@ -17,6 +17,7 @@
 #include "atom/renderer/atom_render_frame_observer.h"
 #include "atom/renderer/web_worker_observer.h"
 #include "base/command_line.h"
+#include "content/public/common/web_preferences.h"
 #include "content/public/renderer/render_frame.h"
 #include "native_mate/dictionary.h"
 #include "third_party/WebKit/public/web/WebDocument.h"
@@ -89,6 +90,15 @@ void AtomRendererClient::DidCreateScriptContext(
   if (!render_frame->IsMainFrame() && !IsDevToolsExtension(render_frame))
     return;
 
+  // Don't allow node integration if this is a child window and it does not have
+  // node integration enabled.  Otherwise we would have memory leak in the child
+  // window since we don't clean up node environments.
+  //
+  // TODO(zcbenz): We shouldn't allow node integration even for the top frame.
+  if (!render_frame->GetWebkitPreferences().node_integration &&
+      render_frame->GetWebFrame()->Opener())
+    return;
+
   // Prepare the node bindings.
   if (!node_integration_initialized_) {
     node_integration_initialized_ = true;

vendor/libchromiumcontent

@@ -1 +1 @@
-Subproject commit e271f9ba29ff73167bbc4a7e125657caccb32960
+Subproject commit 5d0f8f9df14f8d1c3e52e701c339448c3e9dc143