-
-
Notifications
You must be signed in to change notification settings - Fork 170
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: webxdc: make isSecureContext === true
#3413
Conversation
changelog missing |
2f552f5
to
2d6377c
Compare
Added a changelog entry |
src/main/index.ts
Outdated
@@ -35,6 +35,25 @@ protocol.registerSchemesAsPrivileged([ | |||
{ | |||
scheme: 'webxdc', | |||
privileges: { | |||
// This gives apps access to APIs such as | |||
// - Web Cryptography | |||
// - Clipboard |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
So whenever I open a webXDC app it will be able to take my clipboard and paste it into the chat?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
probably not, but I guess we should test against that before merging
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I have tested it. It's already the case, even without isSecureContext
. Try
window.addEventListener('DOMContentLoaded', () => {
const textarea = document.createElement('textarea');
document.body.appendChild(textarea);
textarea.focus();
setTimeout(() => {
document.execCommand('paste');
});
});
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
:( Then I guess it is a bug, would be nice to work around this somehow.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This suggests it should not work: https://stackoverflow.com/questions/6969403/why-is-document-execcommandpaste-not-working-in-google-chrome
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
So I removed the "Clipboard" point because yeah, it requires permission, which is currently denied (the write()
API too)
(but document.execCommand('paste')
still works, but it's not directly related to this MR).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That is to say, clipboard-related security is not affected by this MR.
2d6377c
to
c59a436
Compare
did not follow all discussions, but only looking at the pr, it is not clear to me, which real-world-issue this pr will fix. esp. as it seems there are some potential side effects, it would be helpful to elaborate the gist in the pr description a bit more |
If you want an example, The main point of this MR as I see it is to bring us a step closer to giving apps access to camera, geolocation and other stuff that requires permissions. See the forum post I linked in the comments. Also FYI |
To give a background for what's "secure context": |
...for the apps. Related test: webxdc/webxdc-test#24
c59a436
to
0f4be76
Compare
thanks for more detailed explanations! (it is much clearer now than trying to search information from some linked issues with linked URLs each. a good PR description cannot be overestimated :) having crypto api would be nice, indeed. also indeed, it now sounds reasonable that webxdc apps should be considered "secure context" if https://developer.mozilla.org/en-US/docs/Web/Security/Secure_Contexts says "Locally-delivered resources [...] are also considered to have been delivered securely." however, i would leave final decision up to the desktop maintainers or ppl who are more into security. |
...for the apps.
Related test: webxdc/webxdc-test#24
I have tested it with webxdc/webxdc-test#24 and it works.