From 9c3c441941ad5060ec2db89b805a958a914547f3 Mon Sep 17 00:00:00 2001 From: Kristóf Marussy Date: Sat, 24 Jul 2021 02:23:48 +0200 Subject: Recipe context isolation (#1456) * Enable service contextIsolation * Enable contextIsolation on the service webviews * Expose a new API window.ferdi in the service main world to allow calling back into the service isolated world * Expose a new IPC message inject-js-unsafe from the service isolated world to execute Javascript in the service main world (i.e., run code without context isolation). While the name contains the "unsafe" suffix to show the lack of context isolation, this should mostly be safe, as no nodejs APIs are available in the injected code. * Refactor the Notifications shim into a part in the isolated world that handles displaying and modifying notifications, and a shim in the main world for the Notifications class. The two communicate via the window.ferdi endpoint and a Promise object can be used to detect notification clicks. * Refactor the screen sharing shim into a part in the isolated world that enumerated shareable screens and windows and a shim in the main world that displays the media selector and completes the media selection promise. * Expose the injectJSUnsafe API to recipes to inject javascript code into the main world without context isolation. * Expose setBadge to the main world The window.ferdi.setBadge API can be used to update the service badge from injected unsafe Javascript * Safer script injection into the service main world Make sure that we don't try to serialize stray objects back from the main world to the isolated world by always surrounding the script to be executed by an anonymous function. * Always read recipe assets as utf8 * Remove window.log from recipes We didn't use it anywhere and its behavior was confusing in production mode. * Inject multiple unsafe scripts at the same time * Find in page without remote module Remove the @electron/remote dependency from the find in page (Ctrl+F) functionality. The remote webContents is replaced with Electron IPC. Synchronous IPC messages are handled in the main Electron process, because the renderer process cannot reply to IPC messages synchronously. * Update to latest contextIsolation recipes * Fixing issue with missing 'fs' functions. Co-authored-by: Vijay A --- src/webview/badge.js | 33 +++++++++++++++++++++++++++++++++ 1 file changed, 33 insertions(+) create mode 100644 src/webview/badge.js (limited to 'src/webview/badge.js') diff --git a/src/webview/badge.js b/src/webview/badge.js new file mode 100644 index 000000000..1e02fb56a --- /dev/null +++ b/src/webview/badge.js @@ -0,0 +1,33 @@ +const { ipcRenderer } = require('electron'); + +const debug = require('debug')('Ferdi:Plugin:BadgeHandler'); + +export class BadgeHandler { + constructor() { + this.countCache = { + direct: 0, + indirect: 0, + }; + } + + setBadge(direct, indirect) { + if (this.countCache.direct === direct + && this.countCache.indirect === indirect) return; + + // Parse number to integer + // This will correct errors that recipes may introduce, e.g. + // by sending a String instead of an integer + const directInt = parseInt(direct, 10); + const indirectInt = parseInt(indirect, 10); + + const count = { + direct: Math.max(directInt, 0), + indirect: Math.max(indirectInt, 0), + }; + + ipcRenderer.sendToHost('message-counts', count); + Object.assign(this.countCache, count); + + debug('Sending badge count to host', count); + } +} -- cgit v1.2.3-54-g00ecf