diff --git a/.changes/disable-script-inject-subframe.md b/.changes/disable-script-inject-subframe.md new file mode 100644 index 000000000..110d1b68a --- /dev/null +++ b/.changes/disable-script-inject-subframe.md @@ -0,0 +1,5 @@ +--- +"wry": patch +--- + +On macOS, disable initialization script injection into subframes. diff --git a/src/webkitgtk/mod.rs b/src/webkitgtk/mod.rs index 038d214a5..2f4fcf9c7 100644 --- a/src/webkitgtk/mod.rs +++ b/src/webkitgtk/mod.rs @@ -601,6 +601,7 @@ impl InnerWebView { if let Some(manager) = self.webview.user_content_manager() { let script = UserScript::new( js, + // TODO: feature to allow injecting into subframes UserContentInjectedFrames::TopFrame, UserScriptInjectionTime::Start, &[], diff --git a/src/webview2/mod.rs b/src/webview2/mod.rs index 4fd93e733..2fdde4a28 100644 --- a/src/webview2/mod.rs +++ b/src/webview2/mod.rs @@ -1101,6 +1101,7 @@ impl InnerWebView { ); } + // TODO: feature to allow injecting into (specific) subframes #[inline] fn add_script_to_execute_on_document_created(webview: &ICoreWebView2, js: String) -> Result<()> { let webview = webview.clone(); diff --git a/src/wkwebview/mod.rs b/src/wkwebview/mod.rs index 3b1b2312d..f4dd5f402 100644 --- a/src/wkwebview/mod.rs +++ b/src/wkwebview/mod.rs @@ -1085,10 +1085,8 @@ r#"Object.defineProperty(window, 'ipc', { unsafe { let userscript: id = msg_send![class!(WKUserScript), alloc]; let script: id = - // FIXME: We allow subframe injection because webview2 does and cannot be disabled (currently). - // once webview2 allows disabling all-frame script injection, forMainFrameOnly should be enabled - // if it does not break anything. (originally added for isolation pattern). - msg_send![userscript, initWithSource:NSString::new(js) injectionTime:0 forMainFrameOnly:0]; + // TODO: feature to allow injecting into subframes + msg_send![userscript, initWithSource:NSString::new(js) injectionTime:0 forMainFrameOnly:1]; let _: () = msg_send![self.manager, addUserScript: script]; } }