diff --git a/src/electron-main.js b/src/electron-main.js index 95d3a8f..132e49d 100644 --- a/src/electron-main.js +++ b/src/electron-main.js @@ -1,9 +1,8 @@ /* Copyright 2016 Aviral Dasgupta Copyright 2016 OpenMarket Ltd -Copyright 2018, 2019 New Vector Ltd Copyright 2017, 2019 Michael Telatynski <7t3chguy@gmail.com> -Copyright 2020 The Matrix.org Foundation C.I.C. +Copyright 2018 - 2021 New Vector Ltd Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. @@ -922,11 +921,7 @@ app.on('ready', async () => { nodeIntegration: false, //sandbox: true, // We enable sandboxing from app.enableSandbox() above enableRemoteModule: false, - // We don't use this: it's useful for the preload script to - // share a context with the main page so we can give select - // objects to the main page. The sandbox option isolates the - // main page from the background script. - contextIsolation: false, + contextIsolation: true, webgl: false, spellcheck: true, }, diff --git a/src/preload.js b/src/preload.js index 0862ec6..f3b25df 100644 --- a/src/preload.js +++ b/src/preload.js @@ -1,5 +1,5 @@ /* -Copyright 2018, 2019 New Vector Ltd +Copyright 2018, 2019, 2021 New Vector Ltd Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. @@ -14,7 +14,44 @@ See the License for the specific language governing permissions and limitations under the License. */ -const { ipcRenderer } = require('electron'); +const { contextBridge, ipcRenderer } = require("electron"); -// expose ipcRenderer to the renderer process -window.ipcRenderer = ipcRenderer; +// Expose only expected IPC wrapper APIs to the renderer process to avoid +// handing out generalised messaging access. + +const CHANNELS = [ + "app_onAction", + "before-quit", + "check_updates", + "install_update", + "ipcCall", + "ipcReply", + "loudNotification", + "preferences", + "seshat", + "seshatReply", + "setBadgeCount", + "update-downloaded", + "userDownloadCompleted", + "userDownloadOpen", +]; + +contextBridge.exposeInMainWorld( + "electron", + { + on(channel, listener) { + if (!CHANNELS.includes(channel)) { + console.error(`Unknown IPC channel ${channel} ignored`); + return; + } + ipcRenderer.on(channel, listener); + }, + send(channel, ...args) { + if (!CHANNELS.includes(channel)) { + console.error(`Unknown IPC channel ${channel} ignored`); + return; + } + ipcRenderer.send(channel, ...args); + }, + }, +);