From 997c3646d553b94017431d324dfb7f8808bff22e Mon Sep 17 00:00:00 2001 From: yan Date: Tue, 25 Oct 2016 14:18:40 -0700 Subject: [PATCH] harden default web preferences and prevent local files loaded in webviews from reading other files unless explicitly allowed by a webview attribute. fix https://github.com/brave/browser-laptop/issues/4906 auditors: @bridiver --- atom/app/atom_main_delegate.cc | 3 --- atom/browser/atom_browser_client.cc | 6 +++--- lib/renderer/web-view/web-view-attributes.js | 2 ++ lib/renderer/web-view/web-view-constants.js | 2 ++ 4 files changed, 7 insertions(+), 6 deletions(-) diff --git a/atom/app/atom_main_delegate.cc b/atom/app/atom_main_delegate.cc index 6603fbb4b5..0cf53a9fc3 100644 --- a/atom/app/atom_main_delegate.cc +++ b/atom/app/atom_main_delegate.cc @@ -184,9 +184,6 @@ void AtomMainDelegate::PreSandboxStartup() { command_line->AppendSwitch(::switches::kNoSandbox); #endif - // Allow file:// URIs to read other file:// URIs by default. - command_line->AppendSwitch(::switches::kAllowFileAccessFromFiles); - #if defined(OS_MACOSX) // Enable AVFoundation. command_line->AppendSwitch("enable-avfoundation"); diff --git a/atom/browser/atom_browser_client.cc b/atom/browser/atom_browser_client.cc index 93560b843c..f679170e9f 100644 --- a/atom/browser/atom_browser_client.cc +++ b/atom/browser/atom_browser_client.cc @@ -130,12 +130,12 @@ void AtomBrowserClient::OverrideWebkitPrefs( prefs->plugins_enabled = true; prefs->dom_paste_enabled = true; prefs->allow_scripts_to_close_windows = true; - prefs->javascript_can_access_clipboard = true; + prefs->javascript_can_access_clipboard = false; prefs->local_storage_enabled = true; prefs->databases_enabled = true; prefs->application_cache_enabled = true; - prefs->allow_universal_access_from_file_urls = true; - prefs->allow_file_access_from_file_urls = true; + prefs->allow_universal_access_from_file_urls = false; + prefs->allow_file_access_from_file_urls = false; prefs->experimental_webgl_enabled = true; prefs->allow_displaying_insecure_content = false; prefs->allow_running_insecure_content = false; diff --git a/lib/renderer/web-view/web-view-attributes.js b/lib/renderer/web-view/web-view-attributes.js index dc8c498b4b..d42caee50d 100644 --- a/lib/renderer/web-view/web-view-attributes.js +++ b/lib/renderer/web-view/web-view-attributes.js @@ -303,6 +303,8 @@ WebViewImpl.prototype.setupWebViewAttributes = function () { this.attributes[webViewConstants.ATTRIBUTE_NODEINTEGRATION] = new BooleanAttribute(webViewConstants.ATTRIBUTE_NODEINTEGRATION, this) this.attributes[webViewConstants.ATTRIBUTE_ALLOWDISPLAYINGINSECURECONTENT] = new BooleanAttribute(webViewConstants.ATTRIBUTE_ALLOWDISPLAYINGINSECURECONTENT, this) this.attributes[webViewConstants.ATTRIBUTE_ALLOWRUNNINGINSECURECONTENT] = new BooleanAttribute(webViewConstants.ATTRIBUTE_ALLOWRUNNINGINSECURECONTENT, this) + this.attributes[webViewConstants.ATTRIBUTE_ALLOWFILEACCESSFROMFILEURLS] = new BooleanAttribute(webViewConstants.ATTRIBUTE_ALLOWFILEACCESSFROMFILEURLS, this) + this.attributes[webViewConstants.ATTRIBUTE_ALLOWUNIVERSALACCESSFROMFILEURLS] = new BooleanAttribute(webViewConstants.ATTRIBUTE_ALLOWUNIVERSALACCESSFROMFILEURLS, this) this.attributes[webViewConstants.ATTRIBUTE_PLUGINS] = new BooleanAttribute(webViewConstants.ATTRIBUTE_PLUGINS, this) this.attributes[webViewConstants.ATTRIBUTE_DISABLEWEBSECURITY] = new BooleanAttribute(webViewConstants.ATTRIBUTE_DISABLEWEBSECURITY, this) this.attributes[webViewConstants.ATTRIBUTE_ALLOWPOPUPS] = new BooleanAttribute(webViewConstants.ATTRIBUTE_ALLOWPOPUPS, this) diff --git a/lib/renderer/web-view/web-view-constants.js b/lib/renderer/web-view/web-view-constants.js index a9f42d5ce3..6305817a24 100644 --- a/lib/renderer/web-view/web-view-constants.js +++ b/lib/renderer/web-view/web-view-constants.js @@ -12,6 +12,8 @@ module.exports = { ATTRIBUTE_NODEINTEGRATION: 'nodeintegration', ATTRIBUTE_ALLOWDISPLAYINGINSECURECONTENT: 'allowDisplayingInsecureContent', ATTRIBUTE_ALLOWRUNNINGINSECURECONTENT: 'allowRunningInsecureContent', + ATTRIBUTE_ALLOWFILEACCESSFROMFILEURLS: 'allowFileAccessFromFileUrls', + ATTRIBUTE_ALLOWUNIVERSALACCESSFROMFILEURLS: 'allowUniversalAccessFromFileUrls', ATTRIBUTE_PLUGINS: 'plugins', ATTRIBUTE_DISABLEWEBSECURITY: 'disablewebsecurity', ATTRIBUTE_ALLOWPOPUPS: 'allowpopups',