Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
NWJS Security and Cross-Origin Iframes
See original GitHub issueNWJS Version: 31.2 (Latest) Operating System: Windows 10 , April Update
Expected behavior
According to NWJS security http://docs.nwjs.io/en/latest/For Users/Advanced/Security in NW.js/#security-in-nwjs
Node frames should bypass all ‘security restrictions’
Node frames have following extra capabilities than normal frames:
Bypass all security restrictions, such as sandboxing, same origin policy etc. For example, you can make cross origin XHR to any remote sites, or access to <iframe> element whose src points to remote sites in node frames.
Chrome (latest) disables permissions by default in iframes, making permissions explicit. Another small issue is there is no way to allow all permissions e.g. allow=“all”
This deprecation is expected to ship in Chrome M64 (around January 2018). At that time, if a cross-origin iframe attempts to use permission without the feature being explicitly allowed, a console warning will be logged and the feature will fail in a similar way as it would if a user had denied a permission prompt.
It’s proposed that by default the following permissions cannot be requested or used by content contained in cross-origin iframes:
I’m currently unsure if a node frames scope includes to disable cross origin permissions, I would think it should unless someone corrects me.
Actual behavior
Node frames cannot bypass the new Iframe security features (Cross-Origin).
How to reproduce
- App loads local index.html file that has an Iframe to a cross origin address. (Ensure it is a Node frame)
- All things are node frames, package.json
"node-remote": [ "*://*/*" ],
Using this does not work
<iframe src="https://webrtc.github.io/samples/src/content/devices/input-output/"></iframe>
Permissions have to be explicit despite it being a node frame
<iframe src="https://webrtc.github.io/samples/src/content/devices/input-output/" allow="camera;microphone;"></iframe>
Edit:
The --disable-web-security flag does not work.
Issue Analytics
- State:
- Created 5 years ago
- Comments:8 (7 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
You are right that the node iframe should have all the permissions by default, even it’s cross-origin. The security model in NW should override Chromium’s regarding this case. Will look to fix it.
This is fixed in git and will be available in the next nightly build.