harden default web preferences

and prevent local files loaded in webviews from reading other files unless explicitly allowed by a webview attribute. fix brave/browser-laptop#4906 auditors: @bridiver
brave · Oct 25, 2016 · 997c364 · 997c364
1 parent 6e14e40
commit 997c364
Show file tree

Hide file tree

Showing 4 changed files with 7 additions and 6 deletions.
diff --git a/atom/app/atom_main_delegate.cc b/atom/app/atom_main_delegate.cc
@@ -184,9 +184,6 @@ void AtomMainDelegate::PreSandboxStartup() {
   command_line->AppendSwitch(::switches::kNoSandbox);
 #endif
 
-  // Allow file:// URIs to read other file:// URIs by default.
-  command_line->AppendSwitch(::switches::kAllowFileAccessFromFiles);
-
 #if defined(OS_MACOSX)
   // Enable AVFoundation.
   command_line->AppendSwitch("enable-avfoundation");

diff --git a/atom/browser/atom_browser_client.cc b/atom/browser/atom_browser_client.cc
@@ -130,12 +130,12 @@ void AtomBrowserClient::OverrideWebkitPrefs(
   prefs->plugins_enabled = true;
   prefs->dom_paste_enabled = true;
   prefs->allow_scripts_to_close_windows = true;
-  prefs->javascript_can_access_clipboard = true;
+  prefs->javascript_can_access_clipboard = false;
   prefs->local_storage_enabled = true;
   prefs->databases_enabled = true;
   prefs->application_cache_enabled = true;
-  prefs->allow_universal_access_from_file_urls = true;
-  prefs->allow_file_access_from_file_urls = true;
+  prefs->allow_universal_access_from_file_urls = false;
+  prefs->allow_file_access_from_file_urls = false;
   prefs->experimental_webgl_enabled = true;
   prefs->allow_displaying_insecure_content = false;
   prefs->allow_running_insecure_content = false;

diff --git a/lib/renderer/web-view/web-view-attributes.js b/lib/renderer/web-view/web-view-attributes.js
@@ -303,6 +303,8 @@ WebViewImpl.prototype.setupWebViewAttributes = function () {
   this.attributes[webViewConstants.ATTRIBUTE_NODEINTEGRATION] = new BooleanAttribute(webViewConstants.ATTRIBUTE_NODEINTEGRATION, this)
   this.attributes[webViewConstants.ATTRIBUTE_ALLOWDISPLAYINGINSECURECONTENT] = new BooleanAttribute(webViewConstants.ATTRIBUTE_ALLOWDISPLAYINGINSECURECONTENT, this)
   this.attributes[webViewConstants.ATTRIBUTE_ALLOWRUNNINGINSECURECONTENT] = new BooleanAttribute(webViewConstants.ATTRIBUTE_ALLOWRUNNINGINSECURECONTENT, this)
+  this.attributes[webViewConstants.ATTRIBUTE_ALLOWFILEACCESSFROMFILEURLS] = new BooleanAttribute(webViewConstants.ATTRIBUTE_ALLOWFILEACCESSFROMFILEURLS, this)
+  this.attributes[webViewConstants.ATTRIBUTE_ALLOWUNIVERSALACCESSFROMFILEURLS] = new BooleanAttribute(webViewConstants.ATTRIBUTE_ALLOWUNIVERSALACCESSFROMFILEURLS, this)
   this.attributes[webViewConstants.ATTRIBUTE_PLUGINS] = new BooleanAttribute(webViewConstants.ATTRIBUTE_PLUGINS, this)
   this.attributes[webViewConstants.ATTRIBUTE_DISABLEWEBSECURITY] = new BooleanAttribute(webViewConstants.ATTRIBUTE_DISABLEWEBSECURITY, this)
   this.attributes[webViewConstants.ATTRIBUTE_ALLOWPOPUPS] = new BooleanAttribute(webViewConstants.ATTRIBUTE_ALLOWPOPUPS, this)

diff --git a/lib/renderer/web-view/web-view-constants.js b/lib/renderer/web-view/web-view-constants.js
@@ -12,6 +12,8 @@ module.exports = {
   ATTRIBUTE_NODEINTEGRATION: 'nodeintegration',
   ATTRIBUTE_ALLOWDISPLAYINGINSECURECONTENT: 'allowDisplayingInsecureContent',
   ATTRIBUTE_ALLOWRUNNINGINSECURECONTENT: 'allowRunningInsecureContent',
+  ATTRIBUTE_ALLOWFILEACCESSFROMFILEURLS: 'allowFileAccessFromFileUrls',
+  ATTRIBUTE_ALLOWUNIVERSALACCESSFROMFILEURLS: 'allowUniversalAccessFromFileUrls',
   ATTRIBUTE_PLUGINS: 'plugins',
   ATTRIBUTE_DISABLEWEBSECURITY: 'disablewebsecurity',
   ATTRIBUTE_ALLOWPOPUPS: 'allowpopups',