Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

NWJS Security and Cross-Origin Iframes #6696

Closed
mscreenie opened this issue Jun 17, 2018 · 8 comments
Closed

NWJS Security and Cross-Origin Iframes #6696

mscreenie opened this issue Jun 17, 2018 · 8 comments

Comments

@mscreenie
Copy link
Contributor

mscreenie commented Jun 17, 2018

NWJS Version: 31.2 (Latest)
Operating System: Windows 10 , April Update

Expected behavior

According to NWJS security http://docs.nwjs.io/en/latest/For%20Users/Advanced/Security%20in%20NW.js/#security-in-nwjs

Node frames should bypass all 'security restrictions'

Node frames have following extra capabilities than normal frames:

Bypass all security restrictions, such as sandboxing, same origin policy etc. For example, you can make cross origin XHR to any remote sites, or access to <iframe> element whose src points to remote sites in node frames.

Chrome (latest) disables permissions by default in iframes, making permissions explicit. Another small issue is there is no way to allow all permissions e.g. allow="all"

This deprecation is expected to ship in Chrome M64 (around January 2018). At that time, if a cross-origin iframe attempts to use permission without the feature being explicitly allowed, a console warning will be logged and the feature will fail in a similar way as it would if a user had denied a permission prompt.

It’s proposed that by default the following permissions cannot be requested or used by content contained in cross-origin iframes:

https://sites.google.com/a/chromium.org/dev/Home/chromium-security/deprecating-permissions-in-cross-origin-iframes

I'm currently unsure if a node frames scope includes to disable cross origin permissions, I would think it should unless someone corrects me.

Actual behavior

Node frames cannot bypass the new Iframe security features (Cross-Origin).

How to reproduce

  1. App loads local index.html file that has an Iframe to a cross origin address. (Ensure it is a Node frame)
  2. All things are node frames, package.json
    "node-remote": [ "*://*/*" ],

Using this does not work
<iframe src="https://webrtc.github.io/samples/src/content/devices/input-output/"></iframe>

Permissions have to be explicit despite it being a node frame
<iframe src="https://webrtc.github.io/samples/src/content/devices/input-output/" allow="camera;microphone;"></iframe>

Edit:

The --disable-web-security flag does not work.

@rogerwang
Copy link
Member

You are right that the node iframe should have all the permissions by default, even it's cross-origin. The security model in NW should override Chromium's regarding this case. Will look to fix it.

@mscreenie
Copy link
Contributor Author

Thank you Rogerwang.

@mscreenie
Copy link
Contributor Author

Is this a difficult fix? It seems to be breaking fundamental NWJS security.

@rogerwang
Copy link
Member

Could you please provide a sample to demonstrate this?

@mscreenie
Copy link
Contributor Author

Two examples inside.

Edit: Updated examples adding nodejs:true to package.json

app-security-nodeframes.zip

  1. app-notworking
  2. app-working

Assuming the definition 'node frames bypass all security'. I would think this includes cross origin iframes, and not requiring explicit defined permissions such as allow="camera" for a node frame.

This is an issue if your app loads a local html file and uses an Iframe needing any of these permissions thus it becoming a cross origin iframe.

@thedracle
Copy link

Any work arounds for this?

@rogerwang
Copy link
Member

@thedracle what specific permission do you need to workaround? I can look to fix that first soon.

@rogerwang
Copy link
Member

This is fixed in git and will be available in the next nightly build.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

4 participants