From 05056545f27754901e88d9b87539e5256331d372 Mon Sep 17 00:00:00 2001 From: tobspr Date: Sat, 15 Jan 2022 11:45:57 +0100 Subject: [PATCH] Properly isolate electron renderer process --- electron/index.js | 74 +++++++++++++++++++++++++++++++++++++++++++---- 1 file changed, 69 insertions(+), 5 deletions(-) diff --git a/electron/index.js b/electron/index.js index 8ff7faa2..1b8b4b5e 100644 --- a/electron/index.js +++ b/electron/index.js @@ -1,6 +1,6 @@ /* eslint-disable quotes,no-undef */ -const { app, BrowserWindow, Menu, MenuItem, ipcMain, shell, dialog } = require("electron"); +const { app, BrowserWindow, Menu, MenuItem, ipcMain, shell, dialog, session } = require("electron"); const path = require("path"); const url = require("url"); const fs = require("fs"); @@ -55,10 +55,16 @@ function createWindow() { autoHideMenuBar: true, webPreferences: { nodeIntegration: false, + nodeIntegrationInWorker: false, + nodeIntegrationInSubFrames: false, + contextIsolation: true, + enableRemoteModule: false, + disableBlinkFeatures: "Auxclick", + webSecurity: true, sandbox: true, - contextIsolation: true, preload: path.join(__dirname, "preload.js"), + experimentalFeatures: false, }, allowRunningInsecureContent: false, }); @@ -77,9 +83,67 @@ function createWindow() { win.webContents.session.clearCache(); win.webContents.session.clearStorageData(); + ////// SECURITY + + // Disable permission requests + win.webContents.session.setPermissionRequestHandler((webContents, permission, callback) => { + callback(false); + }); + session.fromPartition("default").setPermissionRequestHandler((webContents, permission, callback) => { + callback(false); + }); + + app.on("web-contents-created", (event, contents) => { + // Disable vewbiew + contents.on("will-attach-webview", (event, webPreferences, params) => { + event.preventDefault(); + }); + // Disable navigation + contents.on("will-navigate", (event, navigationUrl) => { + event.preventDefault(); + }); + }); + + win.webContents.on("will-redirect", (contentsEvent, navigationUrl) => { + // Log and prevent the app from redirecting to a new page + console.error( + `The application tried to redirect to the following address: '${navigationUrl}'. This attempt was blocked.` + ); + contentsEvent.preventDefault(); + }); + + // Filter loading any module via remote; + // you shouldn't be using remote at all, though + // https://electronjs.org/docs/tutorial/security#16-filter-the-remote-module + app.on("remote-require", (event, webContents, moduleName) => { + event.preventDefault(); + }); + + // built-ins are modules such as "app" + app.on("remote-get-builtin", (event, webContents, moduleName) => { + event.preventDefault(); + }); + + app.on("remote-get-global", (event, webContents, globalName) => { + event.preventDefault(); + }); + + app.on("remote-get-current-window", (event, webContents) => { + event.preventDefault(); + }); + + app.on("remote-get-current-web-contents", (event, webContents) => { + event.preventDefault(); + }); + + //// END SECURITY + win.webContents.on("new-window", (event, pth) => { event.preventDefault(); - shell.openExternal(pth); + + if (pth.startsWith("https://")) { + shell.openExternal(pth); + } }); win.on("closed", () => { @@ -90,11 +154,11 @@ function createWindow() { if (isDev) { menu = new Menu(); - win.toggleDevTools(); + win.webContents.toggleDevTools(); const mainItem = new MenuItem({ label: "Toggle Dev Tools", - click: () => win.toggleDevTools(), + click: () => win.webContents.toggleDevTools(), accelerator: "F12", }); menu.append(mainItem);