Menu was holding a SelfKeepAlive to itself from construction, so any
Menu that was never opened (e.g. an application menu replaced before
being shown) stayed pinned in cppgc forever. Repeated calls to
Menu.setApplicationMenu leaked every prior Menu along with its model
and items.
Restore the original Pin/Unpin lifecycle: start keep_alive_ empty and
only assign `this` in OnMenuWillShow. OnMenuWillClose already clears
it.
* chore: iwyu in shell/browser/api/electron_api_web_contents.h
* chore: iwyu in shell/browser/browser.h
* chore: iwyu in shell/browser/javascript_environment.h
* chore: iwyu in shell/common/gin_hhelper/function_template.h
* chore: do not include node_includes.h if we are not using it
* chore: fix transitive include
Adds the ability to temporarily suspend and resume global shortcut
handling via `globalShortcut.setSuspended()` and query the current
state via `globalShortcut.isSuspended()`. When suspended, registered
shortcuts stop listening and new registrations are rejected. When
resumed, previously registered shortcuts are automatically restored.
* chore: do not expose menu.isItemCheckedAt() to JS
Not used, documented, or typed. Added in dae98fa43f.
* chore: do not expose menu.isEnabledAt() to JS
Nto used, documented, or typed. Added in dae98fa43f.
* chore: do not expose menu.isVisibleAt() to JS
Not used, documented, or typed. Added in dae98fa43f.
* chore: remove unused undocumented API `getOjectHash`
Not used, documented, or typed. Added in ddad3e4846.
Appears to never have been used.
This removes two `raw_ptr<context::StoragePartition>` instances.
These pointers were used to build a ServiceWorkerMain* lookup key.
The key was built from [version_id, raw_ptr<StoragePartition>].
Unfortunately these keys could be dangling on shutdown.
This PR now uses stable, immutable fields for building the key:
[version_id, BrowserContext::UniqueId(), context::StoragePartitionConfig].
context::StoragePartitionConfig is a unique lookup key for StoragePartition
within a BrowserContext.
WebContentsPermissionHelper::CheckPermission was hardcoding
GetPrimaryMainFrame() and deriving the requesting origin from
web_contents_->GetLastCommittedURL(), so the setPermissionCheckHandler
callback always received the top frame's origin and
details.isMainFrame/details.requestingUrl always reflected the main
frame, even when a cross-origin subframe with allow="serial" or
allow="camera; microphone" triggered the check.
Thread the requesting RenderFrameHost through CheckPermission,
CheckSerialAccessPermission, and CheckMediaAccessPermission so the
permission manager receives the real requesting frame. Update the
serial delegate and WebContents::CheckMediaAccessPermission callers to
pass the frame they already have.
Adds a regression test that loads a cross-origin iframe with
allow="camera; microphone", calls enumerateDevices() from within the
iframe, and asserts the permission check handler receives the iframe
origin for requestingOrigin, isMainFrame, and requestingUrl.
* refactor: replace deprecated API base::GetProcId() in web_frame_main
* refactor: replace deprecated API base::GetProcId() in web_contents
* refactor: replace deprecated API base::GetProcId() in a11y ui
* refactor: frame.osProcessId now returns 0 instead of -1 for invalid processes.
This is consistent with WebContents.getOSProcessId
* chore: do not expose v8Util.getObjectHash() to JS
Not used, documented, or typed. Added in ddad3e4846.
* chore: do not expose DownloadItem.isDone() to JS
Not used, documented, or typed. Added in dcad25c98c.
* chore: do not expose BrowserWindow.isWebViewFocused() to JS
Not used, documented, or typed. Added in a949e9542d.
* chore: remove unused undocumented API `menu.worksWhenHiddenAt()`.
Not used, documented, or typed. Added by 544d8a423c.
* chore: remove unused undocumented API `menu.getCommandIdAt()
Not used, documented, or typed. Added by dae98fa43f.
* chore: do not expose `menu.getIndexOfCommandId()` to JS
Added by dae98fa43f but not documented, typed, or used by JS code.
The C++ method is used by other shell code, but not in JS.
* chore: remove unused undocumented API `menu.getLabelAt()`
Not used, documented, or typed. Added by dae98fa43f.
* chore: remove unused undocumented API `menu.getToolTipAt()`
Not used, documented, or typed. Added by 06d48514c6.
* chore: remove unused undocumented API `menu.getSubLabelAt()`
Not used, documented, or typed. Added by dae98fa43f.
refactor: remove unused internal method contents.canGoToIndex()
refactor: make WebContents::CanGoToIndex() private
The JS binding has been unused since 2021-04-27 #288390a1b26b1
The `OnTraceBufferUsageAvailable` callback creates V8 handles via
`Dictionary::CreateEmpty()` before `promise.Resolve()` enters its
`SettleScope` (which provides a `HandleScope`). When the callback
fires asynchronously from a Mojo response (i.e. when a trace session
is active), there is no `HandleScope` on the stack, causing a fatal
V8 error: "Cannot create a handle without a HandleScope".
Add an explicit `v8::HandleScope` at the top of the callback, matching
the pattern used by the other contentTracing APIs which resolve their
promises through `SettleScope` or the static `ResolvePromise` helper.
Made-with: Cursor
Removes unreferenced code found via codebase sweep. Each category below may
indicate a missing feature rather than truly-unused code — see PR description.
Dead class (1):
ElectronNavigationUIData — never instantiated; ElectronBrowserClient uses
upstream ExtensionNavigationUIData directly
Unused methods (7):
CertificateManagerModel: ImportUserCert, ImportCACerts, ImportServerCert,
Delete, is_user_db_available (only PKCS12 path is used)
AutofillDriverFactory::AddDriverForFrame + CreationCallback type
ZoomLevelDelegate::SetDefaultZoomLevelPref
gtk_util: GetOpenLabel, GetSaveLabel
Unused members (2):
AutofillPopup::selected_index_
InspectableWebContents::synced_setting_names_
Declaration fixes (6):
menu_util.h: BuildMenuItemWithImage signature corrected (GtkWidget* → gfx::Image&)
win_frame_view.h: GetReadableFeatureColor (impl removed, decl left behind)
frameless_view.h: friend class NativeWindowsViews (typo, class does not exist)
Forward decls: WebDialogHelper, ChromeContentRendererClient,
ElectronNativeWindowObserver, ValueStoreFactory
* fix: lazily initialize safeStorage async encryptor
The SafeStorage constructor previously registered a browser observer that
called os_crypt_async()->GetInstance() on app-ready. Because ESM named
imports (import { x } from 'electron') eagerly evaluate all electron
module getters, simply importing electron in an ESM entrypoint would
construct SafeStorage and touch the OS keychain on app-ready, even when
safeStorage was never used.
This showed up as a macOS CI hang: the esm-spec import-meta fixture
triggers a keychain access prompt that blocks the test runner until
timeout.
Now the async encryptor is requested lazily on the first call to
encryptStringAsync, decryptStringAsync, or isAsyncEncryptionAvailable.
isAsyncEncryptionAvailable now returns a Promise that resolves once
initialization completes, matching what the docs already stated.
* chore: lint
* fix: add HandleScope in OnOsCryptReady for pending operations
OnOsCryptReady fires asynchronously from a posted task without an active
V8 HandleScope. Previously this was harmless because eager init meant the
pending queues were always empty when it fired. With lazy init, operations
queue up first, then the callback processes them and needs to create V8
handles (Buffer::Copy, Dictionary::CreateEmpty, Promise::Resolve).
feat: add nativeTheme.shouldDifferentiateWithoutColor on macOS
Adds nativeTheme.shouldDifferentiateWithoutColor on macOS that maps to
NSWorkspace.accessibilityDisplayShouldDifferentiateWithoutColor. If true,
the user has indicated that they prefer UI that differentiates items with
something other than color alone. This is useful for users with color
vision deficiency.
* feat: add copyVideoFrameAt and saveVideoFrameAs Method on Webcontent
chore: change the description of savevideoframe api
chore: add the description of the restrictive elements for using the APIs.
move to webframemain
fixed mediaPlayerAction to kSaveVideoFrameAs
Update spec/api-web-frame-main-spec.ts
Co-authored-by: John Kleinschmidt <kleinschmidtorama@gmail.com>
Update spec/api-web-frame-main-spec.ts
Co-authored-by: John Kleinschmidt <kleinschmidtorama@gmail.com>
fixed clipboard tests for video frame copying
fixed test for copying video frame to clipboard. check video loaded before copy video frame in test.
chore: try non-proprietary video format
Revert "chore: try non-proprietary video format"
This reverts commit ef085f88a1af53b6408a7af695cc60b8681398cf.
fix: format video as file url
* test: skip webFrameMain.copyVideoFrameAt on win32 CI due Chromium DCHECK
* fix: correct utility process exit code on Windows
On Windows, process exit codes are 32-bit unsigned integers (DWORD).
When passed from Chromium to Electron as a signed int and then
implicitly converted to uint64_t, values with the high bit set
(e.g., NTSTATUS codes) undergo sign extension, producing incorrect
values.
Cast the exit code to uint32_t before widening to uint64_t to
prevent sign extension and preserve the original Windows exit code.
Fixes#49455
* fix: narrow HandleTermination and Shutdown to uint32_t, add tests
refactor: replace CHILD_PLUGIN with CHILD_EMBEDDER_FIRST on macOS
Chromium removed upstream support for child plugin processes without
library validation in https://crbug.com/461717105, which we patched
back via feat_restore_macos_child_plugin_process.patch.
Chromium's CHILD_EMBEDDER_FIRST mechanism already provides the right
extensibility point for this: values > CHILD_EMBEDDER_FIRST are reserved
for embedders and resolved via ContentBrowserClient::GetChildProcessSuffix().
Chrome itself uses this pattern for its Alerts helper process.
This commit replaces the Chromium patch with an Electron-native
implementation.
* feat: add custom `id` property to Notification API (macOS only)
* feat: add `groupId` property to Notification API (macOS). Notifications with the same groupId will be visually grouped together in Notification Center
* fix: move validation to construction time, add empty string check, remove setters
* docs: clarify id/group id properties, make instance properties read-only
* test: update tests to reflect read-only properties
* refactor: migrate electron::api::tray to cppgc
* chore: add Tray to wrappable_pointer_tags.h patch
* fixup! refactor: migrate electron::api::tray to cppgc
clear keep_alive_ if error is thrown in constructor
* refactor: make Tray::menu_ a cppgc::Member<Menu>
* Feat: support getDevToolsId() on WebContents
* Rename to `getOrCreateDevToolsTargetId`
* build: use spawn instead of spawnSync for build (#49774)
* Fix build
* formatting
---------
Co-authored-by: John Kleinschmidt <jkleinsc@electronjs.org>
* docs: document that getCursorScreenPoint() needs a Window on Wayland
* feat: add IsWayland() helper
* fix: Wayland crash in GetCursorScreenPoint()
fix: support Screen::GetCursorScreenPoint() on X11
PowerMonitor registered OS-level callbacks (HWND UserData and
WTS/suspend notifications on Windows, shutdown handler and lock-screen
observer on macOS) but never cleaned them up in its destructor. The JS
layer also only held the native object in a closure-local variable,
allowing GC to reclaim it while those registrations still referenced
freed memory.
Retain the native PowerMonitor at module level in power-monitor.ts so
it cannot be garbage-collected. Add DestroyPlatformSpecificMonitors()
to properly tear down OS registrations on destruction: on Windows,
unregister WTS and suspend notifications, clear GWLP_USERDATA, and
destroy the HWND; on macOS, remove the emitter from the global
MacLockMonitor and reset the Browser shutdown handler.
EnterFullscreenModeForTab, RequestPointerLock, and RequestKeyboardLock
bind callbacks with base::Unretained(this); fullscreen also captures a
raw RenderFrameHost*. These callbacks may be invoked by the app's JS
permission handler after the WebContents or RenderFrameHost is destroyed.
Use GetWeakPtr() in all three call sites, and capture a
GlobalRenderFrameHostToken instead of the raw RenderFrameHost* for
fullscreen so the pointer is resolved and null-checked only when the
callback fires. Cancel in-flight permission requests from ~WebContents()
via a new ElectronPermissionManager::CancelPendingRequests()` so stale
callbacks are never handed back to JS.
* feat: add macOS-only api to determine if app is currently active
You can `focus()` the app and get events for `did-become-active`, but there's currently not a way to directly check if your app is the active (foreground) application.
* test: add unit test for app.isActive api
* fix: ensure we hide app after showing in test
If the app is still active, it may affect other tests like dock.bounce
that behave differently depending on whether the app is active
* docs: simplify isActive api description
* feat: show toast dismissal reason on Windows
* Update docs/api/notification.md
Co-authored-by: David Sanders <dsanders11@ucsbalum.com>
---------
Co-authored-by: David Sanders <dsanders11@ucsbalum.com>
fix: bind offscreen paint callback to child WebContents
Previously, MaybeOverrideCreateParamsForNewWindow bound the
OffScreenWebContentsView's paint callback to the parent WebContents
using base::Unretained(this). This was both unsafe (dangling pointer
risk if the parent is destroyed before the child) and semantically
incorrect — paint events belong to the child window, not the opener.
Replace the callback in MaybeOverrideCreateParamsForNewWindow with
base::DoNothing(), then rebind it to the child WebContents in
AddNewContents via a new SetCallback method on OffScreenWebContentsView.
* chore: bump chromium in DEPS to 147.0.7693.0
* chore: bump chromium in DEPS to 147.0.7694.0
* chore: bump chromium in DEPS to 147.0.7695.0
* chore: bump chromium in DEPS to 147.0.7697.0
* chore: bump chromium in DEPS to 147.0.7698.0
* fix(patch): IsGuest moved to SecurityPrincipal
Ref: https://chromium-review.googlesource.com/c/chromium/src/+/7234613
Co-Authored-By: Claude (claude-opus-4-6)
* chore: update patches (trivial only)
* fix(patch): v8::External API now requires ExternalPointerTypeTag
Ref: https://chromium-review.googlesource.com/c/v8/v8/+/7562476
Co-Authored-By: Claude (claude-opus-4-6)
* fix: update CreateCustomWebContents signature
Upstream added disposition and window_features parameters.
Ref: https://chromium-review.googlesource.com/c/chromium/src/+/7585256
Co-Authored-By: Claude (claude-opus-4-6)
* fix: OriginatingProcess renamed to OriginatingProcessId
Ref: https://chromium-review.googlesource.com/c/chromium/src/+/7557820
Co-Authored-By: Claude (claude-opus-4-6)
* fix: kLogNetLog moved from network::switches to net::switches
Ref: https://chromium-review.googlesource.com/c/chromium/src/+/7559090
Co-Authored-By: Claude (claude-opus-4-6)
* fix(patch): patch out glic and save-to-drive Profile usage in PDF
Ref: https://chromium-review.googlesource.com/c/chromium/src/+/7589312
Co-Authored-By: Claude (claude-opus-4-6)
* chore: bump chromium in DEPS to 147.0.7699.0
* chore: remove upstreamed pseudonymization salt descriptor code
Ref: https://chromium-review.googlesource.com/c/chromium/src/+/7568382
Co-Authored-By: Claude (claude-opus-4-6)
* chore: update patches (trivial only)
* chore: update reclient patch format (copy-from to new-file)
Co-Authored-By: Claude (claude-opus-4-6)
* chore: remove upstreamed patch and update stale patches
Co-Authored-By: Claude (claude-opus-4-6)
* fix: expose GetLibGdk3 and guard glic function body
GetLibGdk3 needs to be public for Electron's gdk_display_beep usage.
ShouldShowGlicSummarizeButton body must be guarded, not just call site.
Co-Authored-By: Claude (claude-opus-4-6)
* fix(patch): v8::External API in nan requires ExternalPointerTypeTag
Ref: https://chromium-review.googlesource.com/c/v8/v8/+/7562476
Co-Authored-By: Claude (claude-opus-4-6)
* fixup fix(patch): v8::External API in nan requires ExternalPointerTypeTag
* fixup: remove extraneous changes to patches
Caused by
debb3716816e51034728
* fixup: revert fix: expose GetLibGdk3 and guard glic function body
Reverts 6e51034728 as this was an unneeded changed caused by the incorrect changes made in debb371681
* 7586673: Update logic for showing pdf summarize button
7586673: Update logic for showing pdf summarize button | https://chromium-review.googlesource.com/c/chromium/src/+/7586673
Also 7454131: set enable_glic=true | https://chromium-review.googlesource.com/c/chromium/src/+/7454131 (landed in previous roll)
---------
Co-authored-by: electron-roller[bot] <84116207+electron-roller[bot]@users.noreply.github.com>
Co-authored-by: Alice Zhao <alicelovescake@anthropic.com>
Co-authored-by: John Kleinschmidt <kleinschmidtorama@gmail.com>
* guard against window destruction in min/max size checks
* use weakptr to prevent hit test crash on teardown
* revove web contents views during teardown
* fix test failure
* fix other tests
