Skip to content
This repository has been archived by the owner on Feb 26, 2020. It is now read-only.

Restrict dapp access to resources #156

Merged
merged 3 commits into from
Jul 10, 2018
Merged

Restrict dapp access to resources #156

Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
d1080c4
Restrict dapp access to resources
axelchalon Jul 9, 2018
f10bac5
Dapp fs access fix for dapp-dapp-visible
axelchalon Jul 10, 2018
abde257
Merge branch 'master' into dapp-file
axelchalon Jul 10, 2018
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
31 changes: 25 additions & 6 deletions electron/index.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -117,18 +117,18 @@ function createWindow () {
let baseUrl;
let appId;

// Keep track of the first URL of the webview (index.html of the dapp).
// This defines what files the webview is allowed to navigate to within
// the same frame. For example, my-dapp/index.html can navigate to
// my-dapp/some/folder/hi.html and then back to my-dapp/index.html
// Derive the dapp baseUrl (.../my-dapp/) from the first URL of the webview
// (.../my-dapp/index.html). The baseUrl defines what files the webview is
// allowed to navigate to within the same frame.
// For example, my-dapp/index.html can navigate to my-dapp/some/dir/hi.html
// and then back to my-dapp/index.html
webContents.once('did-navigate', (e, initialUrl) => {
const initialURL = new URL(initialUrl);

appId = initialURL.searchParams.get('appId');

initialURL.hash = '';
initialURL.search = '';

baseUrl = initialURL.href.substr(0, initialURL.href.lastIndexOf('/') + 1);
});

Expand All @@ -138,7 +138,7 @@ function createWindow () {
e.preventDefault();

if (targetUrl.startsWith(baseUrl)) {
// The target URL is located inside the dapp folder: allow in-frame
// The target resource is located inside the dapp folder: allow in-frame
// navigation but enforce appId query parameter for inject.js

const newURL = new URL(targetUrl);
Expand All @@ -153,6 +153,25 @@ function createWindow () {
electron.shell.openExternal(targetUrl);
}
});

// Block in-page requests to resources outside the dapp folder
webContents.session.webRequest.onBeforeRequest({ urls: ['file://*'] }, (details, callback) => {
if (baseUrl &&
!details.url.startsWith(baseUrl) &&
// dapp-dapp-visible needs to be able to display the icons of other
// dapps, so as a temporary fix we allow access to all .png files
!url.parse(details.url).pathname.endsWith('.png')) {
const sanitizedUrl = details.url.replace(/'/, '');

if (!webContents.isDestroyed()) {
webContents.executeJavaScript(`console.warn('Parity UI blocked a request to access ${sanitizedUrl}')`);
}

callback({ cancel: true });
} else {
callback({ cancel: false });
}
});
});

mainWindow.on('closed', () => {
Expand Down