Skip to content
This repository was archived by the owner on Feb 26, 2020. It is now read-only.

Commit d1080c4

Browse files
axelchalonaxelchalon
committed
Restrict dapp access to resources
1 parent c5f3207 commit d1080c4

File tree

1 file changed

+18
-6
lines changed

1 file changed

+18
-6
lines changed

electron/index.js

+18-6
Original file line numberDiff line numberDiff line change
@@ -111,18 +111,18 @@ function createWindow () {
111111
let baseUrl;
112112
let appId;
113113

114-
// Keep track of the first URL of the webview (index.html of the dapp).
115-
// This defines what files the webview is allowed to navigate to within
116-
// the same frame. For example, my-dapp/index.html can navigate to
117-
// my-dapp/some/folder/hi.html and then back to my-dapp/index.html
114+
// Derive the dapp baseUrl (.../my-dapp/) from the first URL of the webview
115+
// (.../my-dapp/index.html). The baseUrl defines what files the webview is
116+
// allowed to navigate to within the same frame.
117+
// For example, my-dapp/index.html can navigate to my-dapp/some/dir/hi.html
118+
// and then back to my-dapp/index.html
118119
webContents.once('did-navigate', (e, initialUrl) => {
119120
const initialURL = new URL(initialUrl);
120121

121122
appId = initialURL.searchParams.get('appId');
122123

123124
initialURL.hash = '';
124125
initialURL.search = '';
125-
126126
baseUrl = initialURL.href.substr(0, initialURL.href.lastIndexOf('/') + 1);
127127
});
128128

@@ -132,7 +132,7 @@ function createWindow () {
132132
e.preventDefault();
133133

134134
if (targetUrl.startsWith(baseUrl)) {
135-
// The target URL is located inside the dapp folder: allow in-frame
135+
// The target resource is located inside the dapp folder: allow in-frame
136136
// navigation but enforce appId query parameter for inject.js
137137

138138
const newURL = new URL(targetUrl);
@@ -147,6 +147,18 @@ function createWindow () {
147147
electron.shell.openExternal(targetUrl);
148148
}
149149
});
150+
151+
// Block in-page requests to resources outside the dapp folder
152+
webContents.session.webRequest.onBeforeRequest({ urls: ['file://*'] }, (details, callback) => {
153+
if (baseUrl && !details.url.startsWith(baseUrl)) {
154+
const sanitizedUrl = details.url.replace(/'/, '');
155+
156+
webContents.executeJavaScript(`console.warn('Parity UI blocked a request to access ${sanitizedUrl}')`);
157+
callback({ cancel: true });
158+
} else {
159+
callback({ cancel: false });
160+
}
161+
});
150162
});
151163

152164
mainWindow.on('closed', () => {

0 commit comments

Comments
 (0)