From 7e5dba30bb9675df8b0612266e685dc82b4dec55 Mon Sep 17 00:00:00 2001
From: yan <yan@mit.edu>
Date: Fri, 29 Jan 2016 17:15:41 -0800
Subject: [PATCH] Make sure BrowserWindow only loads whitelisted URLs

Fix #445

Auditors: @bbondy
---
 js/stores/appStore.js | 18 ++++++++++++++++--
 1 file changed, 16 insertions(+), 2 deletions(-)

diff --git a/js/stores/appStore.js b/js/stores/appStore.js
index effb2a4a126..fa089e23e5b 100644
--- a/js/stores/appStore.js
+++ b/js/stores/appStore.js
@@ -204,10 +204,24 @@ const handleAppAction = (action) => {
         'appState=' + encodeURIComponent(JSON.stringify(appState.toJS())) +
         '&frames=' + encodeURIComponent(JSON.stringify(frames))
 
+      const devUrl = 'file://' + __dirname + '/../../app/index-dev.html?' + queryString
+      const prodUrl = 'file://' + __dirname + '/../../app/index.html?' + queryString
       if (process.env.NODE_ENV === 'development') {
-        mainWindow.loadURL('file://' + __dirname + '/../../app/index-dev.html?' + queryString)
+        mainWindow.loadURL(devUrl)
+        // Prevent this window from loading non-whitelisted content
+        mainWindow.webContents.on('will-navigate', (e, url) => {
+          if (url !== devUrl) {
+            e.preventDefault()
+          }
+        })
       } else {
-        mainWindow.loadURL('file://' + __dirname + '/../../app/index.html?' + queryString)
+        mainWindow.loadURL(prodUrl)
+        // Prevent this window from loading non-whitelisted content
+        mainWindow.webContents.on('will-navigate', (e, url) => {
+          if (url !== prodUrl) {
+            e.preventDefault()
+          }
+        })
       }
       appStore.emitChange()