Added two security improvements as mentioned at http://electron.atom.io/docs/all/#checklist
This commit is contained in:
parent
04fe0fd336
commit
54849d6859
|
@ -1,5 +1,9 @@
|
|||
'use strict';
|
||||
|
||||
window.eval = global.eval = function() {
|
||||
throw new Error("Sorry, Mattermost does not support window.eval() for security reasons.");
|
||||
}
|
||||
|
||||
const React = require('react');
|
||||
const ReactDOM = require('react-dom');
|
||||
const ReactBootstrap = require('react-bootstrap');
|
||||
|
@ -417,7 +421,7 @@ var MattermostView = React.createClass({
|
|||
// Need to keep webview mounted when failed to load.
|
||||
return (<div>
|
||||
{ errorView }
|
||||
<webview id={ this.props.id } className="mattermostView" style={ this.props.style } preload="webview/mattermost.js" src={ this.props.src } ref="webview"></webview>
|
||||
<webview id={ this.props.id } className="mattermostView" style={ this.props.style } preload="webview/mattermost.js" src={ this.props.src } ref="webview" nodeintegration="false"></webview>
|
||||
</div>);
|
||||
}
|
||||
});
|
||||
|
|
|
@ -76,5 +76,14 @@ describe('application', function() {
|
|||
});
|
||||
}, 5000, 'expected a new window')
|
||||
.windowByIndex(3).isNodeEnabled().should.eventually.be.false;
|
||||
})
|
||||
});
|
||||
|
||||
it('should NOT be able to call eval in any window', function() {
|
||||
env.addClientCommands(this.app.client);
|
||||
const client = this.app.client;
|
||||
return this.app.client
|
||||
.windowByIndex(1) // in the first webview
|
||||
.eval()
|
||||
.should.be.rejected;
|
||||
});
|
||||
});
|
||||
|
|
Loading…
Reference in a new issue