Security: Restrict login domains to TLD

[mountainash]

A crafty scriptor could get around the isLoginURL function by creating a link (in a tracks comments/description) to a subdomain to match the login URLs such as https://accounts.google.com.bad-actor.com/shellscript.html.

Would be safer to check that the domain match is restricted to the top level eg /^https:\/\/accounts\.google\.com\/.*/i,

Workflow wise this could be done at the same time as #206. Also at the same time; new-window is being deprecated.

References:

• https://www.electronjs.org/docs/api/web-contents#event-new-window-deprecated
• https://www.electronjs.org/docs/tutorial/security#14-do-not-use-openexternal-with-untrusted-content
• https://security.stackexchange.com/questions/225799/dangers-of-electrons-shell-openexternal-on-untrusted-content
• https://gist.github.com/MarshallOfSound/ad19a8846c06033cb07a8b203ebda7f6

[mountainash]

Also the facebook regex doesn't escape the dot separators . -

[salomvary]

@mountainash Thanks for your insights, much appreciated! Processing URLs with regular expressions has never been a good idea...