Skip to content
This repository has been archived by the owner on May 24, 2022. It is now read-only.

Use preload script as buffer between main and renderer processes #463

Merged
merged 1 commit into from
Mar 14, 2019

Conversation

amaury1093
Copy link
Collaborator

@ltfschoen a patch to your PR that uses preload scripts. I played around a little bit, I think unfortunately we can't use contextIsolation=true if we wish to use ipcRenderers.

@ltfschoen ltfschoen merged commit 1ee0ffa into luke-124-security Mar 14, 2019
@amaury1093 amaury1093 deleted the am-124-security branch March 15, 2019 20:09
amaury1093 pushed a commit that referenced this pull request Apr 8, 2019
* feat: Security aspects for fether-electron. See #124

* feat: Add Source Maps support

* docs: Add Source Maps guide to Readme

* feat: Add webpack-build-notifier add-on with custom Webpack config

* fix: Remove duplicate dependency

* WIP

* WIP

* review-fix: Configure CSP depending on NODE_ENV

* fix: Fix worker-src for the camera in production

* review-fix: Remove unnecessary config of source maps dependency

* Use preload script as buffer between main and renderer processes (#463)

* fix: Remove is-electron since now using preload script

* fix: Remove old preload script

* fix: Do not expose electron, remote, or require to web app

* fix: Add newline

* feat: Single Fether instance lock

* fix: Move preload to static folder so works with binary

* review-fix: Remove fix for webview since not used. Add comment incase used in future. Fix other event handling code

* review-fix: Add optional opt-in to using Webpack notifier plugin by running with NOTIFIER=true yarn start

* review-fix: Use pino.debug instead of console.log

* review-fix: Add worker-src blob to CSP in development for webcam

* review-fix: Update handling of untrusted urls and sessions and certificates

* review-fix: Convert to WSS. Move CSP into array like in Parity-JS Shell. Update CSP

* review-fix: Update CSP to avoid duplication

* review-fix: Remove from new-window event listener that which applies to additional new BrowserWindows since not applicable

* review-fix: Combined pino logs

* review-fix: Change to parsedUrl.href instead of origin. Fix trusted urls for dev

* fix: Remote https 127.0.0.1 in prod

* review-fix: Move WebpackBuildNotifier images so not in binary. Fix ico file

* fix: Remove console.logs

* refactor: Cleanup so can merge. Extract for inclusion in separate PR

* review-fix: Remove debugging notes since better in wiki

* review-fix: Remove other lines due to move to wiki

* fix comment

* review-fix: Remove setPermissionRequestHandler since not know if need. Move to https://hackmd.io/O1FA34BuSNyJoPV1Cu3L0A

* review-fix: Move CSP debugging into onHeadersReceived

* review-fix: Fix isParityRunningStatus

* review-fix: Replace parse-url with Node.js url parser

* review-fix: Remove parse-url from dependencies

* fix: Fix logic in setCertificateVerifyProc

* WIP

* review-fix: Dynamically add WS port from CLI to trusted

* review-fix: Update comments with security warnings

* merge latest from master and fix conflicts

* chore: Remove useless console.log

* misc: See commit details

* Remove --ws-origins from CLI, hard-code instead
* Remove --ws-interface from CLI, hard-code instead
* Ignore --ws-interface and --ws-origins flags in CLI
* Add hard-coded default trusted WS interface to window.bridge
* Add default WS port to window.bridge

* WIP - start implementing isDev. See FIXME for future work required

* review-fix: Use appIsPackaged instead of NODE_ENV

* fix: Add IS_PROD to constants and assign appIsPackaged to it. Expose it to frontend so no longer use NODE_ENV

* feat: Add wiki Fether FAQ to trusted urls since required by PR #482

* fix: Fix untrusted blockscout.com error in setCertificateVerifyProc

* review-fix: fix blocked image hosting and external blockscout urls

* review-fix: trust github token icons

* review-fix: Rename network to fetherNetwork so custom config avoids naming conflict

* review-fix: Remove duplicate pino.debug for CSP

* review-fix: Remove WsSecure until wss and certificates implemented

* review-fix: Update config to show Electron security warnings in all environments

* review-fix: Remove use of wsInterface

* refactor: Refactor tests inside describe blocks

* tests: Add chrome dev tools to tests for trusted urls

* review-fix: Use NODE_ENV and Electron app.isPackaged

* fix: Rebuild yarn.lock

* fix: Fix linting to arg passed to correct script

* review-fix: Remove ws-origins flag and trusted ws origins

* test: Fix failing test

* review-fix: Remove package-lock.json

* fix: Use NODE_ENV consistently instead of process.defaultApp

* fix: Change to hash instead of transactionHash for blockscout
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants