Restrict dapp access to resources

parity-js · Jul 9, 2018 · c5ab168 · c5ab168
1 parent 68fda6c
commit c5ab168
Showing 1 changed file with 18 additions and 6 deletions.
diff --git a/electron/index.js b/electron/index.js
@@ -123,18 +123,18 @@ function createWindow () {
     let baseUrl;
     let appId;
 
-    // Keep track of the first URL of the webview (index.html of the dapp).
-    // This defines what files the webview is allowed to navigate to within
-    // the same frame. For example, my-dapp/index.html can navigate to
-    // my-dapp/some/folder/hi.html and then back to my-dapp/index.html
+    // Derive the dapp baseUrl (.../my-dapp/) from the first URL of the webview
+    // (.../my-dapp/index.html). The baseUrl defines what files the webview is
+    // allowed to navigate to within the same frame.
+    // For example, my-dapp/index.html can navigate to my-dapp/some/dir/hi.html
+    // and then back to my-dapp/index.html
     webContents.once('did-navigate', (e, initialUrl) => {
       const initialURL = new URL(initialUrl);
 
       appId = initialURL.searchParams.get('appId');
 
       initialURL.hash = '';
       initialURL.search = '';
-
       baseUrl = initialURL.href.substr(0, initialURL.href.lastIndexOf('/') + 1);
     });
 
@@ -144,7 +144,7 @@ function createWindow () {
       e.preventDefault();
 
       if (targetUrl.startsWith(baseUrl)) {
-        // The target URL is located inside the dapp folder: allow in-frame
+        // The target resource is located inside the dapp folder: allow in-frame
         // navigation but enforce appId query parameter for inject.js
 
         const newURL = new URL(targetUrl);
@@ -159,6 +159,18 @@ function createWindow () {
         electron.shell.openExternal(targetUrl);
       }
     });
+
+    // Block in-page requests to resources outside the dapp folder
+    webContents.session.webRequest.onBeforeRequest({ urls: ['file://*'] }, (details, callback) => {
+      if (baseUrl && !details.url.startsWith(baseUrl)) {
+        const sanitizedUrl = details.url.replace(/'/, '');
+
+        webContents.executeJavaScript(`console.warn('Parity UI blocked a request to access ${sanitizedUrl}')`);
+        callback({ cancel: true });
+      } else {
+        callback({ cancel: false });
+      }
+    });
   });
 
   mainWindow.on('closed', () => {