-
Notifications
You must be signed in to change notification settings - Fork 3.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
NWJS Security and Cross-Origin Iframes #6696
Comments
You are right that the node iframe should have all the permissions by default, even it's cross-origin. The security model in NW should override Chromium's regarding this case. Will look to fix it. |
Thank you Rogerwang. |
Is this a difficult fix? It seems to be breaking fundamental NWJS security. |
Could you please provide a sample to demonstrate this? |
Two examples inside. Edit: Updated examples adding nodejs:true to package.json
Assuming the definition 'node frames bypass all security'. I would think this includes cross origin iframes, and not requiring explicit defined permissions such as allow="camera" for a node frame. This is an issue if your app loads a local html file and uses an Iframe needing any of these permissions thus it becoming a cross origin iframe. |
Any work arounds for this? |
@thedracle what specific permission do you need to workaround? I can look to fix that first soon. |
This is fixed in git and will be available in the next nightly build. |
NWJS Version: 31.2 (Latest)
Operating System: Windows 10 , April Update
Expected behavior
According to NWJS security http://docs.nwjs.io/en/latest/For%20Users/Advanced/Security%20in%20NW.js/#security-in-nwjs
Node frames should bypass all 'security restrictions'
Chrome (latest) disables permissions by default in iframes, making permissions explicit. Another small issue is there is no way to allow all permissions e.g. allow="all"
https://sites.google.com/a/chromium.org/dev/Home/chromium-security/deprecating-permissions-in-cross-origin-iframes
I'm currently unsure if a node frames scope includes to disable cross origin permissions, I would think it should unless someone corrects me.
Actual behavior
Node frames cannot bypass the new Iframe security features (Cross-Origin).
How to reproduce
"node-remote": [ "*://*/*" ],
Using this does not work
<iframe src="https://webrtc.github.io/samples/src/content/devices/input-output/"></iframe>
Permissions have to be explicit despite it being a node frame
<iframe src="https://webrtc.github.io/samples/src/content/devices/input-output/" allow="camera;microphone;"></iframe>
Edit:
The
--disable-web-security
flag does not work.The text was updated successfully, but these errors were encountered: