github/electron
1
1
Fork 0
mirror of https://github.com/electron/electron.git synced 2026-01-09 15:38:08 -05:00
Code Issues Packages Projects Releases Wiki Activity

fix: chrome.tabs 'url' and 'title' are privileged information (#39595)

Browse Source 
fix: tabs url and title are privileged information
This commit is contained in:
Shelley Vohr
2023-08-22 14:56:58 +02:00
committed by GitHub
parent bfa58df7c9
commit e1d63794e5
10 changed files with 129 additions and 31 deletions
Download Patch File Download Diff File Expand all files Collapse all files

82
spec/extensions-spec.ts
View File

@@ -842,15 +842,14 @@ describe('chrome extensions', () => {
before(async () => {
customSession = session.fromPartition(`persist:${uuid.v4()}`);
await customSession.loadExtension(path.join(fixtures, 'extensions', 'tabs-api-async'));
await customSession.loadExtension(path.join(fixtures, 'extensions', 'chrome-tabs', 'api-async'));
});
beforeEach(() => {
w = new BrowserWindow({
show: false,
webPreferences: {
session: customSession,
nodeIntegration: true
session: customSession
}
});
});
@@ -913,27 +912,55 @@ describe('chrome extensions', () => {
});
});
it('get', async () => {
await w.loadURL(url);
describe('get', () => {
it('returns tab properties', async () => {
await w.loadURL(url);
const message = { method: 'get' };
w.webContents.executeJavaScript(`window.postMessage('${JSON.stringify(message)}', '*')`);
const message = { method: 'get' };
w.webContents.executeJavaScript(`window.postMessage('${JSON.stringify(message)}', '*')`);
const [,, responseString] = await once(w.webContents, 'console-message');
const [,, responseString] = await once(w.webContents, 'console-message');
const response = JSON.parse(responseString);
expect(response).to.have.property('active').that.is.a('boolean');
expect(response).to.have.property('autoDiscardable').that.is.a('boolean');
expect(response).to.have.property('discarded').that.is.a('boolean');
expect(response).to.have.property('groupId').that.is.a('number');
expect(response).to.have.property('highlighted').that.is.a('boolean');
expect(response).to.have.property('id').that.is.a('number');
expect(response).to.have.property('incognito').that.is.a('boolean');
expect(response).to.have.property('index').that.is.a('number');
expect(response).to.have.property('pinned').that.is.a('boolean');
expect(response).to.have.property('selected').that.is.a('boolean');
expect(response).to.have.property('url').that.is.a('string');
expect(response).to.have.property('windowId').that.is.a('number');
const response = JSON.parse(responseString);
expect(response).to.have.property('url').that.is.a('string');
expect(response).to.have.property('title').that.is.a('string');
expect(response).to.have.property('active').that.is.a('boolean');
expect(response).to.have.property('autoDiscardable').that.is.a('boolean');
expect(response).to.have.property('discarded').that.is.a('boolean');
expect(response).to.have.property('groupId').that.is.a('number');
expect(response).to.have.property('highlighted').that.is.a('boolean');
expect(response).to.have.property('id').that.is.a('number');
expect(response).to.have.property('incognito').that.is.a('boolean');
expect(response).to.have.property('index').that.is.a('number');
expect(response).to.have.property('pinned').that.is.a('boolean');
expect(response).to.have.property('selected').that.is.a('boolean');
expect(response).to.have.property('windowId').that.is.a('number');
});
it('does not return privileged properties without tabs permission', async () => {
const noPrivilegeSes = session.fromPartition(`persist:${uuid.v4()}`);
await noPrivilegeSes.loadExtension(path.join(fixtures, 'extensions', 'chrome-tabs', 'no-privileges'));
w = new BrowserWindow({ show: false, webPreferences: { session: noPrivilegeSes } });
await w.loadURL(url);
w.webContents.executeJavaScript('window.postMessage(\'{}\', \'*\')');
const [,, responseString] = await once(w.webContents, 'console-message');
const response = JSON.parse(responseString);
expect(response).not.to.have.property('url');
expect(response).not.to.have.property('title');
expect(response).to.have.property('active').that.is.a('boolean');
expect(response).to.have.property('autoDiscardable').that.is.a('boolean');
expect(response).to.have.property('discarded').that.is.a('boolean');
expect(response).to.have.property('groupId').that.is.a('number');
expect(response).to.have.property('highlighted').that.is.a('boolean');
expect(response).to.have.property('id').that.is.a('number');
expect(response).to.have.property('incognito').that.is.a('boolean');
expect(response).to.have.property('index').that.is.a('number');
expect(response).to.have.property('pinned').that.is.a('boolean');
expect(response).to.have.property('selected').that.is.a('boolean');
expect(response).to.have.property('windowId').that.is.a('number');
});
});
it('reload', async () => {
@@ -960,6 +987,19 @@ describe('chrome extensions', () => {
const [,, responseString] = await once(w.webContents, 'console-message');
const response = JSON.parse(responseString);
expect(response).to.have.property('url').that.is.a('string');
expect(response).to.have.property('title').that.is.a('string');
expect(response).to.have.property('active').that.is.a('boolean');
expect(response).to.have.property('autoDiscardable').that.is.a('boolean');
expect(response).to.have.property('discarded').that.is.a('boolean');
expect(response).to.have.property('groupId').that.is.a('number');
expect(response).to.have.property('highlighted').that.is.a('boolean');
expect(response).to.have.property('id').that.is.a('number');
expect(response).to.have.property('incognito').that.is.a('boolean');
expect(response).to.have.property('index').that.is.a('number');
expect(response).to.have.property('pinned').that.is.a('boolean');
expect(response).to.have.property('selected').that.is.a('boolean');
expect(response).to.have.property('windowId').that.is.a('number');
expect(response).to.have.property('mutedInfo').that.is.a('object');
const { mutedInfo } = response;
expect(mutedInfo).to.deep.eq({

0
spec/fixtures/extensions/tabs-api-async/background.js → spec/fixtures/extensions/chrome-tabs/api-async/background.js vendored
View File

0
spec/fixtures/extensions/tabs-api-async/main.js → spec/fixtures/extensions/chrome-tabs/api-async/main.js vendored
View File

3
spec/fixtures/extensions/tabs-api-async/manifest.json → spec/fixtures/extensions/chrome-tabs/api-async/manifest.json vendored
View File

@@ -1,5 +1,5 @@
{
"name": "tabs-api-async",
"name": "api-async",
"version": "1.0",
"content_scripts": [
{
@@ -8,6 +8,7 @@
"run_at": "document_start"
}
],
"permissions": ["tabs"],
"background": {
"service_worker": "background.js"
},

6
spec/fixtures/extensions/chrome-tabs/no-privileges/background.js vendored Normal file
View File

@@ -0,0 +1,6 @@
/* global chrome */
chrome.runtime.onMessage.addListener((_request, sender, sendResponse) => {
chrome.tabs.get(sender.tab.id).then(sendResponse);
return true;
});

11
spec/fixtures/extensions/chrome-tabs/no-privileges/main.js vendored Normal file
View File

@@ -0,0 +1,11 @@
/* global chrome */
chrome.runtime.onMessage.addListener((request, sender, sendResponse) => {
sendResponse(request);
});
window.addEventListener('message', () => {
chrome.runtime.sendMessage({}, response => {
console.log(JSON.stringify(response));
});
}, false);

19
spec/fixtures/extensions/chrome-tabs/no-privileges/manifest.json vendored Normal file
View File

@@ -0,0 +1,19 @@
{
"name": "no-privileges",
"version": "1.0",
"content_scripts": [
{
"matches": [
"<all_urls>"
],
"js": [
"main.js"
],
"run_at": "document_start"
}
],
"background": {
"service_worker": "background.js"
},
"manifest_version": 3
}