electron/spec/security-warnings-spec.ts

import { expect } from 'chai';
import * as http from 'http';
import * as fs from 'fs';
import * as path from 'path';
import * as url from 'url';

import { BrowserWindow, WebPreferences } from 'electron/main';

import { closeWindow } from './lib/window-helpers';
import { emittedUntil } from './lib/events-helpers';
import { listen } from './lib/spec-helpers';
import { setTimeout } from 'timers/promises';

const messageContainsSecurityWarning = (event: Event, level: number, message: string) => {
  return message.indexOf('Electron Security Warning') > -1;
};

const isLoaded = (event: Event, level: number, message: string) => {
  return (message === 'loaded');
};

describe('security warnings', () => {
  let server: http.Server;
  let w: BrowserWindow;
  let useCsp = true;
  let serverUrl: string;

  before(async () => {
    // Create HTTP Server
    server = http.createServer((request, response) => {
      const uri = url.parse(request.url!).pathname!;
      let filename = path.join(__dirname, 'fixtures', 'pages', uri);

      fs.stat(filename, (error, stats) => {
        if (error) {
          response.writeHead(404, { 'Content-Type': 'text/plain' });
          response.end();
          return;
        }

        if (stats.isDirectory()) {
          filename += '/index.html';
        }

        fs.readFile(filename, 'binary', (err, file) => {
          if (err) {
            response.writeHead(404, { 'Content-Type': 'text/plain' });
            response.end();
            return;
          }

          const cspHeaders = [
            ...(useCsp ? ['script-src \'self\' \'unsafe-inline\''] : [])
          ];
          response.writeHead(200, { 'Content-Security-Policy': cspHeaders });
          response.write(file, 'binary');
          response.end();
        });
      });
    });

    serverUrl = `http://localhost2:${(await listen(server)).port}`;
  });

  after(() => {
    // Close server
    server.close();
    server = null as unknown as any;
  });

  afterEach(async () => {
    useCsp = true;
    await closeWindow(w);
    w = null as unknown as any;
  });

  it('should warn about Node.js integration with remote content', async () => {
    w = new BrowserWindow({
      show: false,
      webPreferences: {
        nodeIntegration: true,
        contextIsolation: false
      }
    });

    w.loadURL(`${serverUrl}/base-page-security.html`);
    const [,, message] = await emittedUntil(w.webContents, 'console-message', messageContainsSecurityWarning);
    expect(message).to.include('Node.js Integration with Remote Content');
  });

  it('should not warn about Node.js integration with remote content from localhost', async () => {
    w = new BrowserWindow({
      show: false,
      webPreferences: {
        nodeIntegration: true
      }
    });

    w.loadURL(`${serverUrl}/base-page-security-onload-message.html`);
    const [,, message] = await emittedUntil(w.webContents, 'console-message', isLoaded);
    expect(message).to.not.include('Node.js Integration with Remote Content');
  });

  const generateSpecs = (description: string, webPreferences: WebPreferences) => {
    describe(description, () => {
      it('should warn about disabled webSecurity', async () => {
        w = new BrowserWindow({
          show: false,
          webPreferences: {
            webSecurity: false,
            ...webPreferences
          }
        });

        w.loadURL(`${serverUrl}/base-page-security.html`);
        const [,, message] = await emittedUntil(w.webContents, 'console-message', messageContainsSecurityWarning);
        expect(message).to.include('Disabled webSecurity');
      });

      it('should warn about insecure Content-Security-Policy', async () => {
        w = new BrowserWindow({
          show: false,
          webPreferences
        });

        useCsp = false;
        w.loadURL(`${serverUrl}/base-page-security.html`);
        const [,, message] = await emittedUntil(w.webContents, 'console-message', messageContainsSecurityWarning);
        expect(message).to.include('Insecure Content-Security-Policy');
      });

      it('should not warn about secure Content-Security-Policy', async () => {
        w = new BrowserWindow({
          show: false,
          webPreferences
        });

        useCsp = true;
        w.loadURL(`${serverUrl}/base-page-security.html`);
        let didNotWarn = true;
        w.webContents.on('console-message', () => {
          didNotWarn = false;
        });
        await setTimeout(500);
        expect(didNotWarn).to.equal(true);
      });

      it('should warn about allowRunningInsecureContent', async () => {
        w = new BrowserWindow({
          show: false,
          webPreferences: {
            allowRunningInsecureContent: true,
            ...webPreferences
          }
        });

        w.loadURL(`${serverUrl}/base-page-security.html`);
        const [,, message] = await emittedUntil(w.webContents, 'console-message', messageContainsSecurityWarning);
        expect(message).to.include('allowRunningInsecureContent');
      });

      it('should warn about experimentalFeatures', async () => {
        w = new BrowserWindow({
          show: false,
          webPreferences: {
            experimentalFeatures: true,
            ...webPreferences
          }
        });

        w.loadURL(`${serverUrl}/base-page-security.html`);
        const [,, message] = await emittedUntil(w.webContents, 'console-message', messageContainsSecurityWarning);
        expect(message).to.include('experimentalFeatures');
      });

      it('should warn about enableBlinkFeatures', async () => {
        w = new BrowserWindow({
          show: false,
          webPreferences: {
            enableBlinkFeatures: 'my-cool-feature',
            ...webPreferences
          }
        });

        w.loadURL(`${serverUrl}/base-page-security.html`);
        const [,, message] = await emittedUntil(w.webContents, 'console-message', messageContainsSecurityWarning);
        expect(message).to.include('enableBlinkFeatures');
      });

      it('should warn about allowpopups', async () => {
        w = new BrowserWindow({
          show: false,
          webPreferences
        });

        w.loadURL(`${serverUrl}/webview-allowpopups.html`);
        const [,, message] = await emittedUntil(w.webContents, 'console-message', messageContainsSecurityWarning);
        expect(message).to.include('allowpopups');
      });

      it('should warn about insecure resources', async () => {
        w = new BrowserWindow({
          show: false,
          webPreferences
        });

        w.loadURL(`${serverUrl}/insecure-resources.html`);
        const [,, message] = await emittedUntil(w.webContents, 'console-message', messageContainsSecurityWarning);
        expect(message).to.include('Insecure Resources');
      });

      it('should not warn about loading insecure-resources.html from localhost', async () => {
        w = new BrowserWindow({
          show: false,
          webPreferences
        });

        w.loadURL(`${serverUrl}/insecure-resources.html`);
        const [,, message] = await emittedUntil(w.webContents, 'console-message', messageContainsSecurityWarning);
        expect(message).to.not.include('insecure-resources.html');
      });
    });
  };

  generateSpecs('without sandbox', { contextIsolation: false });
  generateSpecs('with sandbox', { sandbox: true, contextIsolation: false });
});
test: move security warnings spec to main runner (#20055) 2019-09-03 10:02:22 +03:00			`import { expect } from 'chai';`
			`import * as http from 'http';`
			`import * as fs from 'fs';`
			`import * as path from 'path';`
			`import * as url from 'url';`

feat: expose electron/{process} typed modules (#22937) * feat: expose electron/{process} typed modules * chore: update imports for common modules * chore: update typescript generator * chore: remap electron/* to the internal packages 2020-04-07 03:04:09 +03:00			`import { BrowserWindow, WebPreferences } from 'electron/main';`
test: move security warnings spec to main runner (#20055) 2019-09-03 10:02:22 +03:00
refactor: move spec helpers to spec/lib (#37010) Co-authored-by: Milan Burda <miburda@microsoft.com> 2023-01-26 00:01:25 +03:00			`import { closeWindow } from './lib/window-helpers';`
			`import { emittedUntil } from './lib/events-helpers';`
test: use node helpers for events.once and setTimeout promise (#37374) 2023-02-24 02:53:53 +03:00			`import { listen } from './lib/spec-helpers';`
			`import { setTimeout } from 'timers/promises';`
chore: bump chromium to e049d599a8332b9b2785b0178be74 (master) (#20314) 2019-10-18 22:57:34 +03:00
			`const messageContainsSecurityWarning = (event: Event, level: number, message: string) => {`
			`return message.indexOf('Electron Security Warning') > -1;`
			`};`

			`const isLoaded = (event: Event, level: number, message: string) => {`
			`return (message === 'loaded');`
			`};`
test: move security warnings spec to main runner (#20055) 2019-09-03 10:02:22 +03:00
			`describe('security warnings', () => {`
			`let server: http.Server;`
			`let w: BrowserWindow;`
			`let useCsp = true;`
			`let serverUrl: string;`

test: convert functions to async & eliminate duplicates (#37316) test: convert functions to async Co-authored-by: Milan Burda <miburda@microsoft.com> 2023-02-20 14:30:57 +03:00			`before(async () => {`
test: move security warnings spec to main runner (#20055) 2019-09-03 10:02:22 +03:00			`// Create HTTP Server`
			`server = http.createServer((request, response) => {`
			`const uri = url.parse(request.url!).pathname!;`
test: drop now-empty remote runner (#35343) * test: drop the now-empty remote runner from CI * move fixtures to spec-main * remove remote runner * fix stuff * remove global-paths hack * move ts-smoke to spec/ * fix test after merge * rename spec-main to spec * no need to ignore spec/node_modules twice * simplify spec-runner a little * no need to hash pj/yl twice * undo lint change to verify-mksnapshot.py * excessive .. * update electron_woa_testing.yml * don't search for test-results-remote.xml it is never produced now 2022-08-16 22:23:13 +03:00			`let filename = path.join(__dirname, 'fixtures', 'pages', uri);`
test: move security warnings spec to main runner (#20055) 2019-09-03 10:02:22 +03:00
			`fs.stat(filename, (error, stats) => {`
			`if (error) {`
			`response.writeHead(404, { 'Content-Type': 'text/plain' });`
			`response.end();`
			`return;`
			`}`

			`if (stats.isDirectory()) {`
			`filename += '/index.html';`
			`}`

			`fs.readFile(filename, 'binary', (err, file) => {`
			`if (err) {`
			`response.writeHead(404, { 'Content-Type': 'text/plain' });`
			`response.end();`
			`return;`
			`}`

fix: CSP with `unsafe-eval` detection with Trusted Types (#27446) 2021-01-25 04:31:25 +03:00			`const cspHeaders = [`
fix: do not trigger CSP violations when checking eval (#30991) * fix: do not trigger CSP violations when checking eval * Update shell/renderer/api/electron_api_web_frame.cc Co-authored-by: Cheng Zhao <zcbenz@gmail.com> Co-authored-by: Cheng Zhao <zcbenz@gmail.com> 2021-10-26 00:11:24 +03:00			`...(useCsp ? ['script-src \'self\' \'unsafe-inline\''] : [])`
fix: CSP with `unsafe-eval` detection with Trusted Types (#27446) 2021-01-25 04:31:25 +03:00			`];`
			`response.writeHead(200, { 'Content-Security-Policy': cspHeaders });`
test: move security warnings spec to main runner (#20055) 2019-09-03 10:02:22 +03:00			`response.write(file, 'binary');`
			`response.end();`
			`});`
			`});`
			`});`
test: convert functions to async & eliminate duplicates (#37316) test: convert functions to async Co-authored-by: Milan Burda <miburda@microsoft.com> 2023-02-20 14:30:57 +03:00
			serverUrl = `http://localhost2:${(await listen(server)).port}`;
test: move security warnings spec to main runner (#20055) 2019-09-03 10:02:22 +03:00			`});`

			`after(() => {`
			`// Close server`
			`server.close();`
			`server = null as unknown as any;`
			`});`

			`afterEach(async () => {`
			`useCsp = true;`
			`await closeWindow(w);`
			`w = null as unknown as any;`
			`});`

			`it('should warn about Node.js integration with remote content', async () => {`
			`w = new BrowserWindow({`
			`show: false,`
			`webPreferences: {`
feat: enable context isolation by default (#26890) * feat: enable context isolation by default * chore: set default in ctx iso getter * spec: make all specs work with the new contextIsolation default * spec: fix affinity specs * spec: update tests for new ctx iso default * spec: update tests for new ctx iso default * spec: update tests for new ctx iso default * spec: update tests for new ctx iso default * chore: move stray prod deps to dev deps * spec: update tests for new ctx iso default * turn off contextIsolation for visibility tests * turn off contextIsolation for <webview> tag nodeintegration attribute loads native modules when navigation happens Co-authored-by: John Kleinschmidt <jkleinsc@electronjs.org> 2021-03-02 00:52:29 +03:00			`nodeIntegration: true,`
			`contextIsolation: false`
test: move security warnings spec to main runner (#20055) 2019-09-03 10:02:22 +03:00			`}`
			`});`

			w.loadURL(`${serverUrl}/base-page-security.html`);
chore: bump chromium to e049d599a8332b9b2785b0178be74 (master) (#20314) 2019-10-18 22:57:34 +03:00			`const [,, message] = await emittedUntil(w.webContents, 'console-message', messageContainsSecurityWarning);`
test: move security warnings spec to main runner (#20055) 2019-09-03 10:02:22 +03:00			`expect(message).to.include('Node.js Integration with Remote Content');`
			`});`

chore: bump chromium to e049d599a8332b9b2785b0178be74 (master) (#20314) 2019-10-18 22:57:34 +03:00			`it('should not warn about Node.js integration with remote content from localhost', async () => {`
test: move security warnings spec to main runner (#20055) 2019-09-03 10:02:22 +03:00			`w = new BrowserWindow({`
			`show: false,`
			`webPreferences: {`
			`nodeIntegration: true`
			`}`
			`});`

			w.loadURL(`${serverUrl}/base-page-security-onload-message.html`);
chore: bump chromium to e049d599a8332b9b2785b0178be74 (master) (#20314) 2019-10-18 22:57:34 +03:00			`const [,, message] = await emittedUntil(w.webContents, 'console-message', isLoaded);`
			`expect(message).to.not.include('Node.js Integration with Remote Content');`
test: move security warnings spec to main runner (#20055) 2019-09-03 10:02:22 +03:00			`});`

			`const generateSpecs = (description: string, webPreferences: WebPreferences) => {`
			`describe(description, () => {`
			`it('should warn about disabled webSecurity', async () => {`
			`w = new BrowserWindow({`
			`show: false,`
			`webPreferences: {`
			`webSecurity: false,`
			`...webPreferences`
			`}`
			`});`

			w.loadURL(`${serverUrl}/base-page-security.html`);
chore: bump chromium to e049d599a8332b9b2785b0178be74 (master) (#20314) 2019-10-18 22:57:34 +03:00			`const [,, message] = await emittedUntil(w.webContents, 'console-message', messageContainsSecurityWarning);`
test: move security warnings spec to main runner (#20055) 2019-09-03 10:02:22 +03:00			`expect(message).to.include('Disabled webSecurity');`
			`});`

			`it('should warn about insecure Content-Security-Policy', async () => {`
			`w = new BrowserWindow({`
			`show: false,`
chore: remove deprecated remote module (#25734) Co-authored-by: Jeremy Rose <jeremya@chromium.org> 2021-03-10 04:12:40 +03:00			`webPreferences`
test: move security warnings spec to main runner (#20055) 2019-09-03 10:02:22 +03:00			`});`

			`useCsp = false;`
			w.loadURL(`${serverUrl}/base-page-security.html`);
chore: bump chromium to e049d599a8332b9b2785b0178be74 (master) (#20314) 2019-10-18 22:57:34 +03:00			`const [,, message] = await emittedUntil(w.webContents, 'console-message', messageContainsSecurityWarning);`
test: move security warnings spec to main runner (#20055) 2019-09-03 10:02:22 +03:00			`expect(message).to.include('Insecure Content-Security-Policy');`
			`});`

fix: do not trigger CSP violations when checking eval (#30991) * fix: do not trigger CSP violations when checking eval * Update shell/renderer/api/electron_api_web_frame.cc Co-authored-by: Cheng Zhao <zcbenz@gmail.com> Co-authored-by: Cheng Zhao <zcbenz@gmail.com> 2021-10-26 00:11:24 +03:00			`it('should not warn about secure Content-Security-Policy', async () => {`
fix: CSP with `unsafe-eval` detection with Trusted Types (#27446) 2021-01-25 04:31:25 +03:00			`w = new BrowserWindow({`
			`show: false,`
chore: remove deprecated remote module (#25734) Co-authored-by: Jeremy Rose <jeremya@chromium.org> 2021-03-10 04:12:40 +03:00			`webPreferences`
fix: CSP with `unsafe-eval` detection with Trusted Types (#27446) 2021-01-25 04:31:25 +03:00			`});`

fix: do not trigger CSP violations when checking eval (#30991) * fix: do not trigger CSP violations when checking eval * Update shell/renderer/api/electron_api_web_frame.cc Co-authored-by: Cheng Zhao <zcbenz@gmail.com> Co-authored-by: Cheng Zhao <zcbenz@gmail.com> 2021-10-26 00:11:24 +03:00			`useCsp = true;`
fix: CSP with `unsafe-eval` detection with Trusted Types (#27446) 2021-01-25 04:31:25 +03:00			w.loadURL(`${serverUrl}/base-page-security.html`);
fix: do not trigger CSP violations when checking eval (#30991) * fix: do not trigger CSP violations when checking eval * Update shell/renderer/api/electron_api_web_frame.cc Co-authored-by: Cheng Zhao <zcbenz@gmail.com> Co-authored-by: Cheng Zhao <zcbenz@gmail.com> 2021-10-26 00:11:24 +03:00			`let didNotWarn = true;`
			`w.webContents.on('console-message', () => {`
			`didNotWarn = false;`
			`});`
test: use node helpers for events.once and setTimeout promise (#37374) 2023-02-24 02:53:53 +03:00			`await setTimeout(500);`
fix: do not trigger CSP violations when checking eval (#30991) * fix: do not trigger CSP violations when checking eval * Update shell/renderer/api/electron_api_web_frame.cc Co-authored-by: Cheng Zhao <zcbenz@gmail.com> Co-authored-by: Cheng Zhao <zcbenz@gmail.com> 2021-10-26 00:11:24 +03:00			`expect(didNotWarn).to.equal(true);`
fix: CSP with `unsafe-eval` detection with Trusted Types (#27446) 2021-01-25 04:31:25 +03:00			`});`

test: move security warnings spec to main runner (#20055) 2019-09-03 10:02:22 +03:00			`it('should warn about allowRunningInsecureContent', async () => {`
			`w = new BrowserWindow({`
			`show: false,`
			`webPreferences: {`
			`allowRunningInsecureContent: true,`
			`...webPreferences`
			`}`
			`});`

			w.loadURL(`${serverUrl}/base-page-security.html`);
chore: bump chromium to e049d599a8332b9b2785b0178be74 (master) (#20314) 2019-10-18 22:57:34 +03:00			`const [,, message] = await emittedUntil(w.webContents, 'console-message', messageContainsSecurityWarning);`
test: move security warnings spec to main runner (#20055) 2019-09-03 10:02:22 +03:00			`expect(message).to.include('allowRunningInsecureContent');`
			`});`

			`it('should warn about experimentalFeatures', async () => {`
			`w = new BrowserWindow({`
			`show: false,`
			`webPreferences: {`
			`experimentalFeatures: true,`
			`...webPreferences`
			`}`
			`});`

			w.loadURL(`${serverUrl}/base-page-security.html`);
chore: bump chromium to e049d599a8332b9b2785b0178be74 (master) (#20314) 2019-10-18 22:57:34 +03:00			`const [,, message] = await emittedUntil(w.webContents, 'console-message', messageContainsSecurityWarning);`
test: move security warnings spec to main runner (#20055) 2019-09-03 10:02:22 +03:00			`expect(message).to.include('experimentalFeatures');`
			`});`

			`it('should warn about enableBlinkFeatures', async () => {`
			`w = new BrowserWindow({`
			`show: false,`
			`webPreferences: {`
			`enableBlinkFeatures: 'my-cool-feature',`
			`...webPreferences`
			`}`
			`});`

			w.loadURL(`${serverUrl}/base-page-security.html`);
chore: bump chromium to e049d599a8332b9b2785b0178be74 (master) (#20314) 2019-10-18 22:57:34 +03:00			`const [,, message] = await emittedUntil(w.webContents, 'console-message', messageContainsSecurityWarning);`
test: move security warnings spec to main runner (#20055) 2019-09-03 10:02:22 +03:00			`expect(message).to.include('enableBlinkFeatures');`
			`});`

			`it('should warn about allowpopups', async () => {`
			`w = new BrowserWindow({`
			`show: false,`
			`webPreferences`
			`});`

			w.loadURL(`${serverUrl}/webview-allowpopups.html`);
chore: bump chromium to e049d599a8332b9b2785b0178be74 (master) (#20314) 2019-10-18 22:57:34 +03:00			`const [,, message] = await emittedUntil(w.webContents, 'console-message', messageContainsSecurityWarning);`
test: move security warnings spec to main runner (#20055) 2019-09-03 10:02:22 +03:00			`expect(message).to.include('allowpopups');`
			`});`

			`it('should warn about insecure resources', async () => {`
			`w = new BrowserWindow({`
			`show: false,`
chore: remove deprecated remote module (#25734) Co-authored-by: Jeremy Rose <jeremya@chromium.org> 2021-03-10 04:12:40 +03:00			`webPreferences`
test: move security warnings spec to main runner (#20055) 2019-09-03 10:02:22 +03:00			`});`

			w.loadURL(`${serverUrl}/insecure-resources.html`);
chore: bump chromium to e049d599a8332b9b2785b0178be74 (master) (#20314) 2019-10-18 22:57:34 +03:00			`const [,, message] = await emittedUntil(w.webContents, 'console-message', messageContainsSecurityWarning);`
test: move security warnings spec to main runner (#20055) 2019-09-03 10:02:22 +03:00			`expect(message).to.include('Insecure Resources');`
			`});`

			`it('should not warn about loading insecure-resources.html from localhost', async () => {`
			`w = new BrowserWindow({`
			`show: false,`
			`webPreferences`
			`});`

			w.loadURL(`${serverUrl}/insecure-resources.html`);
chore: lint spec-main (#20835) 2019-11-01 23:37:02 +03:00			`const [,, message] = await emittedUntil(w.webContents, 'console-message', messageContainsSecurityWarning);`
test: move security warnings spec to main runner (#20055) 2019-09-03 10:02:22 +03:00			`expect(message).to.not.include('insecure-resources.html');`
			`});`
			`});`
			`};`
build: enable JS semicolons (#22783) 2020-03-20 23:28:31 +03:00
feat: enable context isolation by default (#26890) * feat: enable context isolation by default * chore: set default in ctx iso getter * spec: make all specs work with the new contextIsolation default * spec: fix affinity specs * spec: update tests for new ctx iso default * spec: update tests for new ctx iso default * spec: update tests for new ctx iso default * spec: update tests for new ctx iso default * chore: move stray prod deps to dev deps * spec: update tests for new ctx iso default * turn off contextIsolation for visibility tests * turn off contextIsolation for <webview> tag nodeintegration attribute loads native modules when navigation happens Co-authored-by: John Kleinschmidt <jkleinsc@electronjs.org> 2021-03-02 00:52:29 +03:00			`generateSpecs('without sandbox', { contextIsolation: false });`
			`generateSpecs('with sandbox', { sandbox: true, contextIsolation: false });`
test: move security warnings spec to main runner (#20055) 2019-09-03 10:02:22 +03:00			`});`