plugin-ext: attach security cookie to webviews

When on Electron, we use a cookie to tell if an http client can use the
backend services. Cookies are bound to domains to which requests will be
made, and also subdomains in certain situations. Because we are using
`localhost` the cookie cannot be shared across subdomains. This commit
works around this limitation by passing the security token from
electron-main process to the renderer-process via a global variable,
and the token is then set inside a cookie for each new webview endpoint
created by the plugin system in the frontend.

Signed-off-by: Paul Maréchal <paul.marechal@ericsson.com>

dev-packages/application-manager/src/generator/frontend-generator.ts

@@ -322,19 +322,28 @@ app.on('ready', () => {
         })
     }
 
-    const loadMainWindow = (port) => {
-        if (!mainWindow.isDestroyed()) {
-            mainWindow.webContents.session.cookies.set({
+    const setElectronSecurityToken = port => {
+        return new Promise((resolve, reject) => {
+            electron.session.defaultSession.cookies.set({
                 url: \`http://localhost:\${port}/\`,
                 name: ElectronSecurityToken,
                 value: JSON.stringify(electronSecurityToken),
+                httpOnly: true,
             }, error => {
                 if (error) {
-                    console.error(error);
+                    reject(error);
                 } else {
-                    mainWindow.loadURL('file://' + join(__dirname, '../../lib/index.html') + '?port=' + port);
+                    // Make it easy for renderer process to fetch the ElectronSecurityToken:
+                    global[ElectronSecurityToken] = electronSecurityToken;
+                    resolve();
                 }
             });
+        })
+    }
+
+    const loadMainWindow = port => {
+        if (!mainWindow.isDestroyed()) {
+            mainWindow.loadURL('file://' + join(__dirname, '../../lib/index.html') + '?port=' + port);
         }
     };
 
@@ -354,7 +363,8 @@ app.on('ready', () => {
     // But when in debugging we want to run everything in the same process to make things easier.
     if (noBackendFork) {
         process.env[ElectronSecurityToken] = JSON.stringify(electronSecurityToken);
-        require(mainPath).then(address => {
+        require(mainPath).then(async (address) => {
+            await setElectronSecurityToken(address.port);
             loadMainWindow(address.port);
         }).catch((error) => {
             console.error(error);
@@ -367,7 +377,8 @@ app.on('ready', () => {
         const cp = fork(mainPath, process.argv.slice(devMode ? 2 : 1), { env: Object.assign({
             [ElectronSecurityToken]: JSON.stringify(electronSecurityToken),
         }, process.env) });
-        cp.on('message', (address) => {
+        cp.on('message', async (address) => {
+            await setElectronSecurityToken(address.port);
             loadMainWindow(address.port);
         });
         cp.on('error', (error) => {

packages/core/package.json

@@ -66,6 +66,7 @@
       "backendElectron": "lib/electron-node/keyboard/electron-backend-keyboard-module"
     },
     {
+      "frontendElectron": "lib/electron-browser/token/electron-token-frontend-module",
       "backendElectron": "lib/electron-node/token/electron-token-backend-module"
     }
   ],

packages/core/src/electron-browser/token/electron-token-frontend-module.ts

@@ -0,0 +1,23 @@
+/********************************************************************************
+ * Copyright (C) 2020 Ericsson and others.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v. 2.0 which is available at
+ * http://www.eclipse.org/legal/epl-2.0.
+ *
+ * This Source Code may also be made available under the following Secondary
+ * Licenses when the conditions for such availability set forth in the Eclipse
+ * Public License v. 2.0 are satisfied: GNU General Public License, version 2
+ * with the GNU Classpath Exception which is available at
+ * https://www.gnu.org/software/classpath/license.html.
+ *
+ * SPDX-License-Identifier: EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0
+ ********************************************************************************/
+
+import * as electron from 'electron';
+import { ContainerModule } from 'inversify';
+import { ElectronSecurityToken } from '../../electron-common/electron-token';
+
+export default new ContainerModule(bind => {
+    bind(ElectronSecurityToken).toConstantValue(electron.remote.getGlobal(ElectronSecurityToken));
+});

packages/plugin-ext/src/main/browser/plugin-ext-frontend-module.ts

@@ -20,9 +20,9 @@ import '../../../src/main/browser/style/index.css';
 import { ContainerModule } from 'inversify';
 import {
     FrontendApplicationContribution, WidgetFactory, bindViewContribution,
-    ViewContainerIdentifier, ViewContainer, createTreeContainer, TreeImpl, TreeWidget, TreeModelImpl, LabelProviderContribution
+    ViewContainerIdentifier, ViewContainer, createTreeContainer, TreeImpl, TreeWidget, TreeModelImpl, LabelProviderContribution, /* Endpoint */
 } from '@theia/core/lib/browser';
-import { MaybePromise, CommandContribution, ResourceResolver, bindContributionProvider } from '@theia/core/lib/common';
+import { MaybePromise, CommandContribution, ResourceResolver, bindContributionProvider, environment } from '@theia/core/lib/common';
 import { WebSocketConnectionProvider } from '@theia/core/lib/browser/messaging';
 import { HostedPluginSupport } from '../../hosted/browser/hosted-plugin';
 import { HostedPluginWatcher } from '../../hosted/browser/hosted-plugin-watcher';
@@ -70,6 +70,12 @@ import { WebviewResourceLoader, WebviewResourceLoaderPath } from '../common/webv
 import { WebviewResourceCache } from './webview/webview-resource-cache';
 import { PluginIconThemeService, PluginIconThemeFactory, PluginIconThemeDefinition, PluginIconTheme } from './plugin-icon-theme-service';
 import { PluginTreeViewNodeLabelProvider } from './view/plugin-tree-view-node-label-provider';
+import { ElectronSecurityToken } from '@theia/core/lib/electron-common/electron-token';
+
+let electronRemote: typeof import('electron').remote | undefined;
+if (environment.electron.is()) {
+    electronRemote = require('electron').remote;
+}
 
 export default new ContainerModule((bind, unbind, isBound, rebind) => {
 
@@ -170,7 +176,23 @@ export default new ContainerModule((bind, unbind, isBound, rebind) => {
             if (endpoint[endpoint.length - 1] === '/') {
                 endpoint = endpoint.slice(0, endpoint.length - 1);
             }
-
+            if (typeof electronRemote !== 'undefined' && typeof electronRemote.session.defaultSession !== 'undefined') {
+                // Attach the ElectronSecurityToken to a cookie that will be sent with each webview request:
+                await new Promise((resolve, reject) => {
+                    electronRemote!.session.defaultSession!.cookies.set({
+                        url: endpoint,
+                        name: ElectronSecurityToken,
+                        value: JSON.stringify(container.get(ElectronSecurityToken)),
+                        httpOnly: true,
+                    }, error => {
+                        if (error) {
+                            reject(error);
+                        } else {
+                            resolve();
+                        }
+                    });
+                });
+            }
             const child = container.createChild();
             child.bind(WebviewWidgetIdentifier).toConstantValue(identifier);
             child.bind(WebviewWidgetExternalEndpoint).toConstantValue(endpoint);