From 07df8d1802d3c45c156a2ed7b51e8936a497b554 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Sa=C3=BAl=20Ibarra=20Corretg=C3=A9?= Date: Tue, 7 Mar 2023 16:30:53 +0100 Subject: fix(main) filter URLs that can be opened --- main.js | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/main.js b/main.js index 9ddca84..df29301 100644 --- a/main.js +++ b/main.js @@ -234,6 +234,25 @@ function createJitsiMeetWindow() { mainWindow.webContents.setWindowOpenHandler(windowOpenHandler); + // Block access to file:// URLs. + const fileFilter = { + urls: [ 'file://*' ] + }; + + mainWindow.webContents.session.webRequest.onBeforeSendHeaders(fileFilter, (details, callback) => { + const requestedUrl = new URL.URL(details.url); + const requestedBasename = path.resolve(requestedUrl.pathname); + const appBasePath = path.resolve(basePath); + + if (!requestedBasename.startsWith(appBasePath)) { + callback(false); + + return; + } + + callback(true); + }); + // Filter out x-frame-options and frame-ancestors CSP to allow loading jitsi via the iframe API // Resolves https://github.com/jitsi/jitsi-meet-electron/issues/285 mainWindow.webContents.session.webRequest.onHeadersReceived((details, callback) => { -- cgit v1.2.3