diff options
| author |  Kristóf Marussy <kristof@marussy.com> | 2021-07-24 02:23:48 +0200 |
|---|---|---|
| committer |  GitHub <noreply@github.com> | 2021-07-24 02:23:48 +0200 |
| commit | 9c3c441941ad5060ec2db89b805a958a914547f3 (patch) | |
| tree | a4224d7bd2576797b14a2ffa1d25ba6e167351ae /recipes | |
| parent | Update submodules, browserslist data updates and linter fixes [skip ci] (diff) | |
| download | ferdium-app-9c3c441941ad5060ec2db89b805a958a914547f3.tar.gz ferdium-app-9c3c441941ad5060ec2db89b805a958a914547f3.tar.zst ferdium-app-9c3c441941ad5060ec2db89b805a958a914547f3.zip | |
Recipe context isolation (#1456)
* Enable service contextIsolation
* Enable contextIsolation on the service webviews
* Expose a new API window.ferdi in the service main world to allow
calling back into the service isolated world
* Expose a new IPC message inject-js-unsafe from the service isolated
world to execute Javascript in the service main world (i.e., run code
without context isolation). While the name contains the "unsafe"
suffix to show the lack of context isolation, this should mostly be
safe, as no nodejs APIs are available in the injected code.
* Refactor the Notifications shim into a part in the isolated world that
handles displaying and modifying notifications, and a shim in the main
world for the Notifications class. The two communicate via the
window.ferdi endpoint and a Promise object can be used to detect
notification clicks.
* Refactor the screen sharing shim into a part in the isolated world
that enumerated shareable screens and windows and a shim in the main
world that displays the media selector and completes the media
selection promise.
* Expose the injectJSUnsafe API to recipes to inject javascript code
into the main world without context isolation.
* Expose setBadge to the main world
The window.ferdi.setBadge API can be used to update the service badge
from injected unsafe Javascript
* Safer script injection into the service main world
Make sure that we don't try to serialize stray objects back from the
main world to the isolated world by always surrounding the script to be
executed by an anonymous function.
* Always read recipe assets as utf8
* Remove window.log from recipes
We didn't use it anywhere and its behavior was confusing in production
mode.
* Inject multiple unsafe scripts at the same time
* Find in page without remote module
Remove the @electron/remote dependency from the find in page (Ctrl+F)
functionality. The remote webContents is replaced with Electron IPC.
Synchronous IPC messages are handled in the main Electron process,
because the renderer process cannot reply to IPC messages synchronously.
* Update to latest contextIsolation recipes
* Fixing issue with missing 'fs' functions.
Co-authored-by: Vijay A <avijayr@protonmail.com>
Diffstat (limited to 'recipes')
| m--------- | recipes | 0 |
1 files changed, 0 insertions, 0 deletions
diff --git a/recipes b/recipes | |||
| Subproject ebb2cc3c68f74ce1d8b8a61d128078753d9a039 | Subproject 3108591b234d011e9681bf9aca366555b64cb8e | ||