Add context isolation option to windows and webview tags

[kevinsawicki]

This pull request adds support for running the preload script and Electron APIs in a separate, isolated JavaScript context from the main JavaScript context of the loaded page.

This ensures the loaded page can't tamper with any JavaScript built-ins (such as Array.prototype.push, JSON.parse, etc.) that the preload script and Electron APIs make use of.

The preload script still has full access to the DOM, document, and window globals via secure proxies that prevent leakage across the contexts. This is provided by reusing Chrome's built-in support for content scripts.

This option is completely opt-in and no existing behavior is changed.

Example

Shown below is an application that loads a page (possibly remote/untrusted) but wants to open any clicked links in an external browser using Electron's shell API.

This example also shows how variables can be injected into the loaded page and how the preload script can listen for messages from the page using window.postMessage.

main.js

const {app, BrowserWindow} = require('electron')
const path = require('path')

let window

app.once('ready', () => {
  window = new BrowserWindow({
    webPreferences: {
      contextIsolation: true,
      preload: path.join(__dirname, 'preload.js')
    }
  })
  window.loadURL(`file://${__dirname}/index.html`)
})

preload.js

const {shell, webFrame} = require('electron')
const path = require('path')

// Set a variable in the page before it loads
webFrame.executeJavaScript('window.foo = "foo";')

// The loaded page will not be able to access this, it is only available
// in this context
window.bar = 'bar'

document.addEventListener('DOMContentLoaded', () => {
  // Will log out 'undefined' since window.foo is only available in the main
  // context
  console.log(window.foo)

  // Will log out 'bar' since window.bar is available in this context
  console.log(window.bar)

  document.body.addEventListener('click', (event) => {
    // Open clicked links externally
    if (event.target.tagName === 'A') {
      shell.openExternal(event.target.href)
      event.preventDefault()
    }
  })
})

window.addEventListener('message', (event) => {
  // Beep when the page requests it
  if (event.data === 'beep') {
    shell.beep()
  }
})

index.html

<!DOCTYPE html>
<html>
  <head>
    <meta charset="utf-8">
    <title>A Remote Page</title>
    <script>
      // Will log out 'foo' since window.foo is only available in this context
      console.log(window.foo)

      // Will log out 'undefined' since window.bar is only available in the isolated
      // context
      console.log(window.bar)
    </script>
  </head>
  <body>
    <a href="https://github.com">Click me</a>
    <button onclick="window.postMessage('beep', '*')">Beep!</button>
  </body>
</html>

Depends on electron/libchromiumcontent#251

/cc @electron/maintainers

[frozeman]

👍

[enlight]

The security guide should also be updated to mention this feature.

[zeke]

Bravo, @kevinsawicki!

[bundyo]

Can we now get webviews with nodeIntegration off? :)

[MarshallOfSound]

@bundyo You always disable nodeIntegration on a webview? Or do you mean use a webview from within a BrowserWindow which has nodeIntegration disabled?

[bundyo]

The second. Our use case is that we don't want any node modules required by mistake in the renderer (and we also load some external content), so we preload them with nodeIntegration off. However, we do need a webview that has to communicate with the main process too. If we use an iframe, we should make an additional proxy from postMessage to ipc.

[MarshallOfSound]

@bundyo Your use case sounds a bit unusual, however it is still not possible to load a webview in a webContents with nodeIntegration disabled.

However as a potential solution to your exact use case, have you considered simply using two WebViews? I.e.

Main Process
  |
  | - BrowserWindow
             | - WebView
             | - WebView

[bundyo]

This actually sounds okay :) Thanks, I'll try it.