Enable context isolation and disable nodejs support. Fixes #2018

[tsmaeder]

What it does

All access to electron API is now done through an API exposed via a preload script. Access to the electron API (including electron-remote) and nodejs API is no longer possible.
Theia extensions can contribute to the preload script via a theiaExtensions module declaration in their package.json

Fixes #2018

Contributed on behalf or STMicroelectronics

How to test

Run the electron version of Theia and make sure nothing is broken. Particular areas of interest is anything to do with menus and windows, for example "zoom in/out", "maximize", etc.

CQ

• Electron IP Check
• FFmpeg IP Check

Review checklist

• As an author, I have thoroughly tested my changes and carefully followed the review guidelines

Reminder for reviewers

• As a reviewer, I agree to behave in accordance with the review guidelines

[tsmaeder]

I'm opening a draft PR because I'll be working on updating to a newer electron version, as well. I'd be interested in feedback and testing, though.

[paul-marechal]

Quick first review pass. Note that the CI doesn't look happy.

[tsmaeder]

The license check shows npm/npmjs/@babel/plugin-transform-async-to-generator/7.20.7 to be "under review", but if you looka the issue, it's approved. What gives? https://gitlab.eclipse.org/eclipsefdn/emo-team/iplab/-/issues/6230

[tsmaeder]

One of the linter issues is this:

packages/debug/src/browser/debug-variables-source-tree.ts(46,11): error TS4114: This member must have an 'override' modifier because it overrides a member in the base class 'SourceTree'.

But that's not even part of this PR. What gives?

[vince-fugnitto]

The license check shows npm/npmjs/@babel/plugin-transform-async-to-generator/7.20.7 to be "under review", but if you looka the issue, it's approved. What gives? https://gitlab.eclipse.org/eclipsefdn/emo-team/iplab/-/issues/6230

@tsmaeder I don't believe these are errors, only electron is:

• https://github.com/eclipse-theia/theia/actions/runs/4436118782/jobs/7784138808?pr=12299#step:5:348

The other entries were added to our baseline at the time but can likely be cleaned up as they are approved:

theia/dependency-check-baseline.json

Lines 1 to 14 in f8654ec

	{
	"npm/npmjs/-/eslint-plugin-deprecation/1.2.1": "Approved as 'works-with': https://dev.eclipse.org/ipzilla/show_bug.cgi?id=22573",
	"npm/npmjs/-/jschardet/2.3.0": "Approved for Eclipse Theia: https://dev.eclipse.org/ipzilla/show_bug.cgi?id=22481",
	"npm/npmjs/-/jsdom/11.12.0": "Approved as 'works-with': https://dev.eclipse.org/ipzilla/show_bug.cgi?id=23640https://dev.eclipse.org/ipzilla/show_bug.cgi?id=23640",
	"npm/npmjs/-/lzma-native/8.0.6": "Approved as 'works-with': https://gitlab.eclipse.org/eclipsefdn/emo-team/iplab/-/issues/1850",
	"npm/npmjs/-/playwright-core/1.22.2": "Approved as 'works-with': https://gitlab.eclipse.org/eclipsefdn/emo-team/iplab/-/issues/2734",
	"npm/npmjs/@babel/helper-compilation-targets/7.20.7": "Under review: https://gitlab.eclipse.org/eclipsefdn/emo-team/iplab/-/issues/5989",
	"npm/npmjs/@babel/helper-member-expression-to-functions/7.20.7": "Under review: https://gitlab.eclipse.org/eclipsefdn/emo-team/iplab/-/issues/5986",
	"npm/npmjs/@babel/plugin-bugfix-v8-spread-parameters-in-optional-chaining/7.20.7": "Under review: https://gitlab.eclipse.org/eclipsefdn/emo-team/iplab/-/issues/5987",
	"npm/npmjs/@babel/plugin-transform-arrow-functions/7.20.7": "Under review: https://gitlab.eclipse.org/eclipsefdn/emo-team/iplab/-/issues/5990",
	"npm/npmjs/@babel/plugin-transform-async-to-generator/7.20.7": "Under review: https://gitlab.eclipse.org/eclipsefdn/emo-team/iplab/-/issues/6230",
	"npm/npmjs/@babel/plugin-transform-computed-properties/7.20.7": "Under review: https://gitlab.eclipse.org/eclipsefdn/emo-team/iplab/-/issues/5984",
	"npm/npmjs/@babel/template/7.20.7": "Under review: https://gitlab.eclipse.org/eclipsefdn/emo-team/iplab/-/issues/5988"
	}

---

Please also note that bumping electron requires a pretty significant CQ with the foundation.

[tsmaeder]

@vince-fugnitto thanks for chiming in. Is there any documentation on what a "baseline" is and how to resolve issues with this check?

[marcdumais-work]

I think the component failing the IP check is the new version of Electron:
X npm/npmjs/-/electron/22.3.2,

Please also note that bumping electron requires a pretty significant CQ with the foundation.

Indeed, in part because Electron bundles Chromium which bundles ffmpeg, a component that can have GPL content and/or proprietary codecs, depending on how it's built.

@vince-fugnitto can you point-out a past example of such CQ IP Check? I get no result when searching on EF Gitlab. (Wayne would really like us to stop the term CQ)

[vince-fugnitto]

@vince-fugnitto can you point-out a past example of such CQ IP Check? I get no result when searching on EF Gitlab. (Wayne would really like us to stop the term CQ)

Here is a past "IP Due Diligence Check" (CQ) for electron when we bumped to 15.1.2:

• electron ip check
• ffmpeg ip check

---

Here is an example of using the new GitLab repo to submit a CQ: https://gitlab.eclipse.org/eclipsefdn/emo-team/iplab/-/issues/5022.

[vince-fugnitto]

@vince-fugnitto thanks for chiming in. Is there any documentation on what a "baseline" is and how to resolve issues with this check?

There is no documentation afaik that details the processes but we can look towards updating https://github.com/eclipse-theia/theia/wiki/Registering-CQs.

The baseline is used to suppress errors from dash-licenses when the foundation has specifically approved a dependency for our project, or as works-with. For actual license incompatibilities our CI will perform an automatic review of a dependency to https://gitlab.eclipse.org/eclipsefdn/emo-team/iplab where we need to wait for the dependency to be checked and approved for us to use.

[tsmaeder]

FYI: I got the dash-licenses check to pass by poking at clearlydefined to harvest data for the electron versions in question. Not that I know what I'm doing 🤷

[vince-fugnitto]

@tsmaeder do you need assistance with the CQ, or would like me to handle it?

[tsmaeder]

@vince-fugnitto thanks for the help. While I would like to get this PR merged, the most important outcome for me is is that we clarify and document the process. The documentation we have is woefully out of date. There's also the fact that I can make the PR check pass by fiddling with clearlydefined. And yet, we still seem to need a CQ? Is our PR check wrong? Do you have additional info that says we still need a CQ?

[vince-fugnitto]

Do you have additional info that says we still need a CQ?

It is required due to Electron distributing ffmpeg which we both file a CQ for and have @theia/ffmpeg which performs a replacement to only include non-proprietary codecs.

• https://github.com/eclipse-theia/theia/blob/master/NOTICE.md#electron

The foundation has requested in the past that we submit requests to be able to use Electron in the project.
cc @marcdumais-work

[tsmaeder]

@paul-marechal you mentioned you would prefer using dependency injection for some of the API. Could you sketch what would do differently?

[paul-marechal]

Instead of creating hardcoded APIs and exposing them all in the global scope, we'd do like any other entry point and load various Inversify container modules. Doing this in the preload context was easy, but then it gets tricky when trying to expose the things bound there to the browser window.

Ultimately the idea is to go from referring to preload services as window.whateverGlobalVariable to be able to use the @inject(PreloadComponentApi) pattern.

This means that downstream app makers will be able to override services/apis/etc just like everywhere else. With this PR in its current state it's not possible to change much.

[tsmaeder]

@paul-marechal that's sounds interesting, but it's not really in scope for this PR, IMO. It sounds like a complete rewrite of the code. I would much rather focus on getting this one merged and to proceed from there.

[tsmaeder]

In German, there is a saying: "the better is the enemy of the good" ;-)