fix: warnAboutRemoteModuleWithRemoteContent (#29691)

Co-authored-by: Milan Burda <miburda@microsoft.com>
2026-04-10 03:01:51 -04:00 · 2021-06-15 12:02:03 +02:00
parent 7b2a4c9984
commit 62402870fd
2 changed files with 17 additions and 8 deletions
--- a/lib/renderer/security-warnings.ts
+++ b/lib/renderer/security-warnings.ts
@@ -270,9 +270,7 @@ const warnAboutAllowedPopups = function () {
 // Logs a warning message about the remote module

 const warnAboutRemoteModuleWithRemoteContent = function (webPreferences?: Electron.WebPreferences) {
-  if (!webPreferences || isLocalhost()) return;
-  const remoteModuleEnabled = webPreferences.enableRemoteModule != null ? !!webPreferences.enableRemoteModule : true;
-  if (!remoteModuleEnabled) return;
+  if (!webPreferences || !webPreferences.enableRemoteModule || isLocalhost()) return;

  if (getIsRemoteProtocol()) {
    const warning = `This renderer process has "enableRemoteModule" enabled
@@ -298,7 +296,9 @@ const logSecurityWarnings = function (
  warnAboutEnableBlinkFeatures(webPreferences);
  warnAboutInsecureCSP();
  warnAboutAllowedPopups();
-  warnAboutRemoteModuleWithRemoteContent(webPreferences);
+  if (BUILDFLAG(ENABLE_REMOTE_MODULE)) {
+    warnAboutRemoteModuleWithRemoteContent(webPreferences);
+  }
 };

 const getWebPreferences = async function () {
--- a/spec-main/security-warnings-spec.ts
+++ b/spec-main/security-warnings-spec.ts
@@ -9,6 +9,9 @@ import { BrowserWindow, WebPreferences } from 'electron/main';
 import { closeWindow } from './window-helpers';
 import { AddressInfo } from 'net';
 import { emittedUntil } from './events-helpers';
+import { ifit } from './spec-helpers';
+
+const features = process._linkedBinding('electron_common_features');

 const messageContainsSecurityWarning = (event: Event, level: number, message: string) => {
  return message.indexOf('Electron Security Warning') > -1;
@@ -226,10 +229,13 @@ describe('security warnings', () => {
        expect(message).to.not.include('insecure-resources.html');
      });

-      it('should warn about enabled remote module with remote content', async () => {
+      ifit(features.isRemoteModuleEnabled())('should warn about enabled remote module with remote content', async () => {
        w = new BrowserWindow({
          show: false,
-          webPreferences
+          webPreferences: {
+            enableRemoteModule: true,
+            ...webPreferences
+          }
        });

        w.loadURL(`${serverUrl}/base-page-security.html`);
@@ -237,10 +243,13 @@ describe('security warnings', () => {
        expect(message).to.include('enableRemoteModule');
      });

-      it('should not warn about enabled remote module with remote content from localhost', async () => {
+      ifit(features.isRemoteModuleEnabled())('should not warn about enabled remote module with remote content from localhost', async () => {
        w = new BrowserWindow({
          show: false,
-          webPreferences
+          webPreferences: {
+            enableRemoteModule: true,
+            ...webPreferences
+          }
        });
        w.loadURL(`${serverUrl}/base-page-security-onload-message.html`);
        const [,, message] = await emittedUntil(w.webContents, 'console-message', isLoaded);