Skip to content
This repository has been archived by the owner on Dec 11, 2019. It is now read-only.

remove webSecurity:false in webPreferences #10242

Merged
merged 1 commit into from
Sep 13, 2017
Merged

remove webSecurity:false in webPreferences #10242

merged 1 commit into from
Sep 13, 2017

Conversation

diracdeltas
Copy link
Member

@diracdeltas diracdeltas commented Aug 1, 2017
edited
Loading

and add some comments for security-sensitive code

fix #10240

Submitter Checklist:

  • Submitted a ticket for my issue if one did not already exist.
  • Used Github auto-closing keywords in the commit message.
  • Added/updated tests for this change (for new code or code which already has tests).
  • Ran git rebase -i to squash commits (if needed).
  • Tagged reviewers and labelled the pull request as needed.

Test Plan:

Reviewer Checklist:

Tests

  • Adequate test coverage exists to prevent regressions
  • Tests should be independent and work correctly when run individually or as a suite ref
  • New files have MPL2 license header

@diracdeltas diracdeltas added this to the 0.20.x (Developer Channel) milestone Aug 1, 2017
@diracdeltas diracdeltas self-assigned this Aug 1, 2017
diracdeltas
diracdeltas commented Aug 1, 2017
View reviewed changes
js/stores/appStore.js Outdated
sharedWorker: true,
nodeIntegration: false,
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this is not needed anymore, right?

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yea, does nothing

bridiver
bridiver reviewed Aug 1, 2017
View reviewed changes
app/browser/tabs.js Outdated
@@ -706,6 +706,7 @@ const api = {
},

executeScriptInBackground: (script, cb) => {
// Do not edit without security review
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this is not a web-accessible api and is only used in the browser process. Actually now that we have worker threads it isn't used at all

bridiver
bridiver reviewed Aug 1, 2017
View reviewed changes
js/stores/appStore.js Outdated
partition: 'default',
webSecurity: false,
allowFileAccessFromFileUrls: true,
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't know if these are necessary anymore either since we're using chrome://brave urls now

@diracdeltas
Copy link
Member Author

@bridiver i reverted 42aa0cc. can't tell if anything is broken. please let me know if you remember a test case.

@luixxiul luixxiul modified the milestones: 0.21.x (Nightly Channel), 0.20.x (Developer Channel) Aug 7, 2017
@diracdeltas
Copy link
Member Author

@bridiver ready for review

@NejcZdovc NejcZdovc modified the milestones: 0.20.x (Developer Channel), 0.21.x (Nightly Channel) Aug 15, 2017
bridiver
bridiver reviewed Aug 28, 2017
View reviewed changes
app/browser/tabs.js Outdated
@@ -699,22 +698,6 @@ const api = {
})
},

executeScriptInBackground: (script, cb) => {
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this is being used in a PR in progress

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes this is used in this PR #10325

@diracdeltas
remove webSecurity:false in webPreferences
019f85b 
and add some comments for security-sensitive code

fix #10240
@diracdeltas
Copy link
Member Author

fixed the merge conflict. @NejcZdovc @bridiver could one of you review plz

@NejcZdovc NejcZdovc self-requested a review September 1, 2017 18:43
@luixxiul
Copy link
Contributor

no-qa-needed?

NejcZdovc
NejcZdovc approved these changes Sep 13, 2017
View reviewed changes
Copy link
Contributor

@NejcZdovc NejcZdovc left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

looks good to me

@diracdeltas diracdeltas merged commit 0cb884d into master Sep 13, 2017
@diracdeltas diracdeltas deleted the fix/10240 branch September 13, 2017 17:43
diracdeltas added a commit that referenced this pull request Sep 13, 2017
@diracdeltas
Merge pull request #10242 from brave/fix/10240
9a068f6 
remove webSecurity:false in webPreferences
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@bridiver bridiver bridiver left review comments

@NejcZdovc NejcZdovc NejcZdovc approved these changes

Assignees

@diracdeltas diracdeltas

Labels
QA/no-qa-needed
Projects
None yet
Milestone
0.20.x (Release Channel)
Development

Successfully merging this pull request may close these issues.

make sure we pass basic Electron security audit
4 participants
@diracdeltas @luixxiul @bridiver @NejcZdovc