fix: enforce webview security prefs from main process

[jackkav]

Summary

• Adds a will-attach-webview handler on mainBrowserWindow.webContents in window-utils.ts
• Security-critical WebPreferences (nodeIntegration, nodeIntegrationInSubFrames, allowRunningInsecureContent, preload, preloadURL) are now pinned in the main process and cannot be overridden by renderer-supplied attributes
• The renderer's webpreferences string is still parsed for the one pref we trust: javascript (controls JS execution in HTML response preview — a legitimate user setting)
• disableDialogs=true is always enforced from main regardless of renderer input

Background

window-utils.ts enables webviewTag: true for the main window (line 208). ResponseWebView renders untrusted response bodies inside a <webview> and sets prefs via a renderer-side string attribute (disableDialogs=true, javascript=yes/no). Without a will-attach-webview guard, a renderer compromise could supply arbitrary webpreferences values (e.g. nodeIntegration=true, a custom preload script) and the main process would apply them. This change moves enforcement to the main process.

Test plan

• Open an HTTP response with HTML content type — verify the webview renders with JS enabled/disabled matching the "Disable JS" toggle
• Confirm no regression in HTML preview rendering
• Verify nodeIntegration is still false for webviews (default Electron behaviour, now also explicitly enforced)

[github-actions]

✅ Circular References Report

Generated at: 2026-06-26T13:03:38.617Z
Status: ✅ NO CHANGE

Summary

Metric	Base (develop)	PR	Change
Total Circular References	9	9	0 (0.00%)

Click to view all circular references in PR (9)

insomnia-inso/src/db/models/types.ts -> insomnia-inso/src/db/types.ts
insomnia/src/main/prompt-bridge.ts -> insomnia/src/main/window-utils.ts -> insomnia/src/main/plugin-window.ts
insomnia/src/main/window-utils.ts -> insomnia/src/main/plugin-window.ts
insomnia/src/network/network.ts -> insomnia-scripting-environment/src/objects/index.ts -> insomnia-scripting-environment/src/objects/collection.ts -> insomnia-scripting-environment/src/objects/response.ts
insomnia/src/network/network.ts -> insomnia/src/common/render.ts
insomnia/src/ui/components/settings/import-export.tsx -> insomnia/src/ui/components/modals/export-requests-modal.tsx
insomnia/src/ui/components/tabs/tab-list.tsx -> insomnia/src/ui/components/tabs/tab.tsx
insomnia/src/ui/components/templating/tag-editor-arg-sub-form.tsx -> insomnia/src/ui/components/templating/external-vault/external-vault-form.tsx
insomnia/src/ui/components/viewers/response-viewer.tsx -> insomnia/src/ui/components/viewers/response-multipart-viewer.tsx

Click to view all circular references in base branch (9)

insomnia-inso/src/db/models/types.ts -> insomnia-inso/src/db/types.ts
insomnia/src/main/prompt-bridge.ts -> insomnia/src/main/window-utils.ts -> insomnia/src/main/plugin-window.ts
insomnia/src/main/window-utils.ts -> insomnia/src/main/plugin-window.ts
insomnia/src/network/network.ts -> insomnia-scripting-environment/src/objects/index.ts -> insomnia-scripting-environment/src/objects/collection.ts -> insomnia-scripting-environment/src/objects/response.ts
insomnia/src/network/network.ts -> insomnia/src/common/render.ts
insomnia/src/ui/components/settings/import-export.tsx -> insomnia/src/ui/components/modals/export-requests-modal.tsx
insomnia/src/ui/components/tabs/tab-list.tsx -> insomnia/src/ui/components/tabs/tab.tsx
insomnia/src/ui/components/templating/tag-editor-arg-sub-form.tsx -> insomnia/src/ui/components/templating/external-vault/external-vault-form.tsx
insomnia/src/ui/components/viewers/response-viewer.tsx -> insomnia/src/ui/components/viewers/response-multipart-viewer.tsx

Analysis

✅ No Change: This PR does not introduce or remove any circular references.

---

This report was generated automatically by comparing against the develop branch.