spec: Should check origin before accessing window.opener

2026-04-10 03:01:51 -04:00 · 2016-11-15 16:47:28 +09:00
parent 037a458e1d
commit 1f49da7a06
2 changed files with 54 additions and 5 deletions
--- a/spec/chromium-spec.js
+++ b/spec/chromium-spec.js
@@ -5,7 +5,7 @@ const ws = require('ws')
 const url = require('url')
 const remote = require('electron').remote

-const {BrowserWindow, session, webContents} = remote
+const {BrowserWindow, protocol, session, webContents} = remote

 const isCI = remote.getGlobal('isCi')

@@ -283,11 +283,11 @@ describe('chromium feature', function () {
  describe('window.opener', function () {
    this.timeout(10000)

-    var url = 'file://' + fixtures + '/pages/window-opener.html'
-    var w = null
+    let url = 'file://' + fixtures + '/pages/window-opener.html'
+    let w = null

    afterEach(function () {
-      w != null ? w.destroy() : void 0
+      if (w) w.destroy()
    })

    it('is null for main window', function (done) {
@@ -302,7 +302,7 @@ describe('chromium feature', function () {
    })

    it('is not null for window opened by window.open', function (done) {
-      var b
+      let b
      listener = function (event) {
        assert.equal(event.data, 'object')
        b.close()
@@ -313,6 +313,48 @@ describe('chromium feature', function () {
    })
  })

+  describe('window.opener security', function () {
+    this.timeout(10000)
+
+    let scheme = 'other'
+    let url = `${scheme}://${fixtures}/pages/window-opener-location.html`
+    let w = null
+
+    before(function () {
+      protocol.registerFileProtocol(scheme, function (request, callback) {
+        callback(`${fixtures}/pages/window-opener-location.html`)
+      }, function (error) {
+        if (error) done(error)
+      })
+    })
+
+    after(function() {
+      protocol.unregisterProtocol(scheme)
+    })
+
+    afterEach(function () {
+      w.close()
+    })
+
+    it('does nothing when origin of current window does not match opener', function (done) {
+      listener = function (event) {
+        assert.equal(event.data, undefined)
+        done()
+      }
+      window.addEventListener('message', listener)
+      w = window.open(url, '', 'show=no')
+    })
+
+    it('works when origin does not match opener but has node integration', function (done) {
+      listener = function (event) {
+        assert.equal(event.data, location.href)
+        done()
+      }
+      window.addEventListener('message', listener)
+      w = window.open(url, '', 'show=no,nodeIntegration=yes')
+    })
+  })
+
  describe('window.postMessage', function () {
    it('sets the source and origin correctly', function (done) {
      var b, sourceId
--- a/spec/fixtures/pages/window-opener-location.html
+++ b/spec/fixtures/pages/window-opener-location.html
@@ -0,0 +1,7 @@
+<html>
+<body>
+<script type="text/javascript" charset="utf-8">
+  window.opener.postMessage(window.opener.location, '*')
+</script>
+</body>
+</html>