mirrors/electron
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages 1 Wiki Activity Actions

security: block chrome.tabs.executeScript() for non chrome-extension: URLs (#15929)

Browse source
This commit is contained in:
Milan Burda 2018-12-11 10:45:46 +01:00 committed by Alexey Kuzmin
parent e044ada65c
commit 607b53c883
1 changed files with 11 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

11
lib/browser/chrome-extension.js
View file

@ -201,7 +201,18 @@ ipcMain.on('CHROME_TABS_SEND_MESSAGE', function (event, tabId, extensionId, isBa
resultID++ resultID++
}) })
const isChromeExtension = function (pageURL) {
const { protocol } = url.parse(pageURL)
return protocol === 'chrome-extension:'
}
ipcMain.on('CHROME_TABS_EXECUTESCRIPT', function (event, requestId, tabId, extensionId, details) { ipcMain.on('CHROME_TABS_EXECUTESCRIPT', function (event, requestId, tabId, extensionId, details) {
const pageURL = event.sender._getURL()
if (!isChromeExtension(pageURL)) {
console.error(`Blocked ${pageURL} from calling chrome.tabs.executeScript()`)
return
}
const contents = webContents.fromId(tabId) const contents = webContents.fromId(tabId)
if (!contents) { if (!contents) {
console.error(`Sending message to unknown tab ${tabId}`) console.error(`Sending message to unknown tab ${tabId}`)