Make sure BrowserWindow only loads whitelisted URLs

Fix #445 Auditors: @bbondy
brave · Jan 30, 2016 · 7e5dba3 · 7e5dba3 · bbondy · Jan 30, 2016
1 parent 85bae78
commit 7e5dba3
Showing 1 changed file with 16 additions and 2 deletions.
diff --git a/js/stores/appStore.js b/js/stores/appStore.js
@@ -204,10 +204,24 @@ const handleAppAction = (action) => {
         'appState=' + encodeURIComponent(JSON.stringify(appState.toJS())) +
         '&frames=' + encodeURIComponent(JSON.stringify(frames))
 
+      const devUrl = 'file://' + __dirname + '/../../app/index-dev.html?' + queryString
+      const prodUrl = 'file://' + __dirname + '/../../app/index.html?' + queryString
       if (process.env.NODE_ENV === 'development') {
-        mainWindow.loadURL('file://' + __dirname + '/../../app/index-dev.html?' + queryString)
+        mainWindow.loadURL(devUrl)
+        // Prevent this window from loading non-whitelisted content
+        mainWindow.webContents.on('will-navigate', (e, url) => {
+          if (url !== devUrl) {
+            e.preventDefault()
+          }
+        })
       } else {
-        mainWindow.loadURL('file://' + __dirname + '/../../app/index.html?' + queryString)
+        mainWindow.loadURL(prodUrl)
+        // Prevent this window from loading non-whitelisted content
+        mainWindow.webContents.on('will-navigate', (e, url) => {
+          if (url !== prodUrl) {
+            e.preventDefault()
+          }
+        })
       }
       appStore.emitChange()