Merge pull request #934 from atom/webview-websecurity

Add "disablewebsecurity" attribute for <webview>
2014-12-18 11:21:04 -08:00 · 2014-12-18 11:21:04 -08:00 · 48b0d85f54
--- a/atom/browser/api/atom_api_web_contents.cc
+++ b/atom/browser/api/atom_api_web_contents.cc
@ -274,6 +274,9 @@ void WebContents::Destroy() {
    if (!destruction_callback_.is_null())
      destruction_callback_.Run();

+    // When force destroying the "destroyed" event is not emitted.
+    WebContentsDestroyed();
+
    Observe(nullptr);
    storage_.reset();
  }
--- a/atom/browser/atom_browser_client.cc
+++ b/atom/browser/atom_browser_client.cc
@ -96,6 +96,14 @@ void AtomBrowserClient::OverrideWebkitPrefs(
    return;
  }

+  // Custom preferences of guest page.
+  int guest_process_id = render_view_host->GetProcess()->GetID();
+  WebViewRendererState::WebViewInfo info;
+  if (WebViewRendererState::GetInstance()->GetInfo(guest_process_id, &info)) {
+    prefs->web_security_enabled = !info.disable_web_security;
+    return;
+  }
+
  NativeWindow* window = NativeWindow::FromRenderView(
      render_view_host->GetProcess()->GetID(),
      render_view_host->GetRoutingID());
--- a/atom/browser/lib/guest-view-manager.coffee
+++ b/atom/browser/lib/guest-view-manager.coffee
@ -40,8 +40,9 @@ createGuest = (embedder, params) ->
  destroyEvents = ['destroyed', 'crashed', 'did-navigate-to-different-page']
  destroy = ->
    destroyGuest id if guestInstances[id]?
-    embedder.removeListener event, destroy for event in destroyEvents
  embedder.once event, destroy for event in destroyEvents
+  guest.once 'destroyed', ->
+    embedder.removeListener event, destroy for event in destroyEvents

  # Init guest web view after attached.
  guest.once 'did-attach', ->
@ -93,6 +94,7 @@ attachGuest = (embedder, elementInstanceId, guestInstanceId, params) ->
  webViewManager.addGuest guestInstanceId, elementInstanceId, embedder, guest,
    nodeIntegration: params.nodeintegration
    plugins: params.plugins
+    disableWebSecurity: params.disablewebsecurity
    preloadUrl: params.preload ? ''

  guest.attachParams = params
--- a/atom/browser/web_view/web_view_manager.cc
+++ b/atom/browser/web_view/web_view_manager.cc
@ -41,7 +41,8 @@ struct Converter<atom::WebViewManager::WebViewOptions> {
      return false;
    return options.Get("nodeIntegration", &(out->node_integration)) &&
           options.Get("plugins", &(out->plugins)) &&
-           options.Get("preloadUrl", &(out->preload_url));
+           options.Get("preloadUrl", &(out->preload_url)) &&
+           options.Get("disableWebSecurity", &(out->disable_web_security));
  }
 };

@ -63,7 +64,10 @@ void WebViewManager::AddGuest(int guest_instance_id,
  web_contents_map_[guest_instance_id] = { web_contents, embedder };

  WebViewRendererState::WebViewInfo web_view_info = {
-    guest_instance_id, options.node_integration, options.plugins
+    guest_instance_id,
+    options.node_integration,
+    options.plugins,
+    options.disable_web_security,
  };
  net::FileURLToFilePath(options.preload_url, &web_view_info.preload_script);
  content::BrowserThread::PostTask(
--- a/atom/browser/web_view/web_view_manager.h
+++ b/atom/browser/web_view/web_view_manager.h
@ -24,6 +24,7 @@ class WebViewManager : public content::BrowserPluginGuestManager {
  struct WebViewOptions {
    bool node_integration;
    bool plugins;
+    bool disable_web_security;
    GURL preload_url;
  };

--- a/atom/browser/web_view/web_view_renderer_state.h
+++ b/atom/browser/web_view/web_view_renderer_state.h
@ -24,6 +24,7 @@ class WebViewRendererState {
    int guest_instance_id;
    bool node_integration;
    bool plugins;
+    bool disable_web_security;
    base::FilePath preload_script;
  };

--- a/atom/renderer/lib/web-view/web-view-attributes.coffee
+++ b/atom/renderer/lib/web-view/web-view-attributes.coffee
@ -195,6 +195,7 @@ WebViewImpl::setupWebViewAttributes = ->
  @attributes[webViewConstants.ATTRIBUTE_HTTPREFERRER] = new HttpReferrerAttribute(this)
  @attributes[webViewConstants.ATTRIBUTE_NODEINTEGRATION] = new BooleanAttribute(webViewConstants.ATTRIBUTE_NODEINTEGRATION, this)
  @attributes[webViewConstants.ATTRIBUTE_PLUGINS] = new BooleanAttribute(webViewConstants.ATTRIBUTE_PLUGINS, this)
+  @attributes[webViewConstants.ATTRIBUTE_DISABLEWEBSECURITY] = new BooleanAttribute(webViewConstants.ATTRIBUTE_DISABLEWEBSECURITY, this)
  @attributes[webViewConstants.ATTRIBUTE_PRELOAD] = new PreloadAttribute(this)

  autosizeAttributes = [
--- a/atom/renderer/lib/web-view/web-view-constants.coffee
+++ b/atom/renderer/lib/web-view/web-view-constants.coffee
@ -12,6 +12,7 @@ module.exports =
  ATTRIBUTE_HTTPREFERRER: 'httpreferrer'
  ATTRIBUTE_NODEINTEGRATION: 'nodeintegration'
  ATTRIBUTE_PLUGINS: 'plugins'
+  ATTRIBUTE_DISABLEWEBSECURITY: 'disablewebsecurity'
  ATTRIBUTE_PRELOAD: 'preload'

  # Internal attribute.
--- a/atom/renderer/lib/web-view/web-view.coffee
+++ b/atom/renderer/lib/web-view/web-view.coffee
@ -50,7 +50,6 @@ class WebViewImpl
    # heard back from createGuest yet. We will not reset the flag in this case so
    # that we don't end up allocating a second guest.
    if @guestInstanceId
-      # FIXME
      guestViewInternal.destroyGuest @guestInstanceId
      @guestInstanceId = undefined
      @beforeFirstNavigation = true
--- a/docs/api/web-view-tag.md
+++ b/docs/api/web-view-tag.md
@ -112,6 +112,14 @@ after this script has done execution.

 Sets the referrer URL for the guest page.

+### disablewebsecurity
+
+```html
+<webview src="https://www.github.com/" disablewebsecurity></webview>
+```
+
+If "on", the guest page will have web security disabled.
+
 ## Methods

 ### `<webview>`.getUrl()
--- a/spec/fixtures/assets/logo.png
+++ b/spec/fixtures/assets/logo.png
--- a/spec/webview-spec.coffee
+++ b/spec/webview-spec.coffee
@ -70,6 +70,36 @@ describe '<webview> tag', ->
      webview.src = "file://#{fixtures}/pages/referrer.html"
      document.body.appendChild webview

+  describe 'disablewebsecurity attribute', ->
+    it 'does not disable web security when not set', (done) ->
+      src = "
+        <script src='file://#{__dirname}/static/jquery-2.0.3.min.js'></script>
+        <script>console.log('ok');</script>
+      "
+      encoded = btoa(unescape(encodeURIComponent(src)))
+      listener = (e) ->
+        assert /Not allowed to load local resource/.test(e.message)
+        webview.removeEventListener 'console-message', listener
+        done()
+      webview.addEventListener 'console-message', listener
+      webview.src = "data:text/html;base64,#{encoded}"
+      document.body.appendChild webview
+
+    it 'disables web security when set', (done) ->
+      src = "
+        <script src='file://#{__dirname}/static/jquery-2.0.3.min.js'></script>
+        <script>console.log('ok');</script>
+      "
+      encoded = btoa(unescape(encodeURIComponent(src)))
+      listener = (e) ->
+        assert.equal e.message, 'ok'
+        webview.removeEventListener 'console-message', listener
+        done()
+      webview.addEventListener 'console-message', listener
+      webview.setAttribute 'disablewebsecurity', ''
+      webview.src = "data:text/html;base64,#{encoded}"
+      document.body.appendChild webview
+
  describe 'new-window event', ->
    it 'emits when window.open is called', (done) ->
      webview.addEventListener 'new-window', (e) ->