fix(main) filter URLs that can be opened

author: Saúl Ibarra Corretgé <s@saghul.net> 2023-03-07 16:30:53 +0100
committer: Saúl Ibarra Corretgé <s@saghul.net> 2023-03-07 19:36:49 +0100
commit: 07df8d1802d3c45c156a2ed7b51e8936a497b554 (patch)
tree: 8a5198f445efb82672a3f178122bc43c9e8d9a2a
parent: a261fd46bc6c7d4804aa83e3f327fa59cc52bcb3 (diff)
1 files changed, 19 insertions, 0 deletions
diff --git a/main.js b/main.js
index 9ddca84..df29301 100644
--- a/main.js
+++ b/main.js
@@ -234,6 +234,25 @@ function createJitsiMeetWindow() {
 
     mainWindow.webContents.setWindowOpenHandler(windowOpenHandler);
 
+    // Block access to file:// URLs.
+    const fileFilter = {
+        urls: [ 'file://*' ]
+    };
+
+    mainWindow.webContents.session.webRequest.onBeforeSendHeaders(fileFilter, (details, callback) => {
+        const requestedUrl = new URL.URL(details.url);
+        const requestedBasename = path.resolve(requestedUrl.pathname);
+        const appBasePath = path.resolve(basePath);
+
+        if (!requestedBasename.startsWith(appBasePath)) {
+            callback(false);
+
+            return;
+        }
+
+        callback(true);
+    });
+
     // Filter out x-frame-options and frame-ancestors CSP to allow loading jitsi via the iframe API
     // Resolves https://github.com/jitsi/jitsi-meet-electron/issues/285
     mainWindow.webContents.session.webRequest.onHeadersReceived((details, callback) => {
author	Saúl Ibarra Corretgé <s@saghul.net>	2023-03-07 16:30:53 +0100
committer	Saúl Ibarra Corretgé <s@saghul.net>	2023-03-07 19:36:49 +0100
commit	07df8d1802d3c45c156a2ed7b51e8936a497b554 (patch)
tree	8a5198f445efb82672a3f178122bc43c9e8d9a2a
parent	a261fd46bc6c7d4804aa83e3f327fa59cc52bcb3 (diff)