Skip to content
This repository was archived by the owner on Feb 26, 2020. It is now read-only.

Commit c5ab168

Browse files
axelchalonaxelchalon
committed
Restrict dapp access to resources
1 parent 68fda6c commit c5ab168

File tree

1 file changed

+18
-6
lines changed

1 file changed

+18
-6
lines changed

electron/index.js

+18-6
Original file line numberDiff line numberDiff line change
@@ -123,18 +123,18 @@ function createWindow () {
123123
let baseUrl;
124124
let appId;
125125

126-
// Keep track of the first URL of the webview (index.html of the dapp).
127-
// This defines what files the webview is allowed to navigate to within
128-
// the same frame. For example, my-dapp/index.html can navigate to
129-
// my-dapp/some/folder/hi.html and then back to my-dapp/index.html
126+
// Derive the dapp baseUrl (.../my-dapp/) from the first URL of the webview
127+
// (.../my-dapp/index.html). The baseUrl defines what files the webview is
128+
// allowed to navigate to within the same frame.
129+
// For example, my-dapp/index.html can navigate to my-dapp/some/dir/hi.html
130+
// and then back to my-dapp/index.html
130131
webContents.once('did-navigate', (e, initialUrl) => {
131132
const initialURL = new URL(initialUrl);
132133

133134
appId = initialURL.searchParams.get('appId');
134135

135136
initialURL.hash = '';
136137
initialURL.search = '';
137-
138138
baseUrl = initialURL.href.substr(0, initialURL.href.lastIndexOf('/') + 1);
139139
});
140140

@@ -144,7 +144,7 @@ function createWindow () {
144144
e.preventDefault();
145145

146146
if (targetUrl.startsWith(baseUrl)) {
147-
// The target URL is located inside the dapp folder: allow in-frame
147+
// The target resource is located inside the dapp folder: allow in-frame
148148
// navigation but enforce appId query parameter for inject.js
149149

150150
const newURL = new URL(targetUrl);
@@ -159,6 +159,18 @@ function createWindow () {
159159
electron.shell.openExternal(targetUrl);
160160
}
161161
});
162+
163+
// Block in-page requests to resources outside the dapp folder
164+
webContents.session.webRequest.onBeforeRequest({ urls: ['file://*'] }, (details, callback) => {
165+
if (baseUrl && !details.url.startsWith(baseUrl)) {
166+
const sanitizedUrl = details.url.replace(/'/, '');
167+
168+
webContents.executeJavaScript(`console.warn('Parity UI blocked a request to access ${sanitizedUrl}')`);
169+
callback({ cancel: true });
170+
} else {
171+
callback({ cancel: false });
172+
}
173+
});
162174
});
163175

164176
mainWindow.on('closed', () => {

0 commit comments

Comments
 (0)