docs: add new IPC validation section to the security tutorial (#33369)

* docs: add new IPC validation section to the security tutorial * Update security.md * Update docs/tutorial/security.md Co-authored-by: Erick Zhao <erick@hotmail.ca> * Update docs/tutorial/security.md Co-authored-by: Erick Zhao <erick@hotmail.ca> Co-authored-by: Erick Zhao <erick@hotmail.ca>
2022-03-22 17:45:23 -07:00 · 2022-03-22 17:45:23 -07:00 · 800b96fe14
commit 800b96fe14
parent 06a00b74e8
1 changed files with 35 additions and 0 deletions
--- a/docs/tutorial/security.md
+++ b/docs/tutorial/security.md
@ -723,6 +723,41 @@ Migrate your app one major version at a time, while referring to Electron's
 [Breaking Changes][breaking-changes] document to see if any code needs to
 be updated.

+### 17. Validate the `sender` of all IPC messages
+
+You should always validate incoming IPC messages `sender` property to ensure you
+aren't performing actions or sending information to untrusted renderers.
+
+#### Why?
+
+All Web Frames can in theory send IPC messages to the main process, including
+iframes and child windows in some scenarios.  If you have an IPC message that returns
+user data to the sender via `event.reply` or performs privileged actions that the renderer
+can't natively, you should ensure you aren't listening to third party web frames.
+
+You should be validating the `sender` of **all** IPC messages by default.
+
+#### How?
+
+```js title='main.js (Main Process)'
+// Bad
+ipcMain.handle('get-secrets', () => {
+  return getSecrets();
+});
+
+// Good
+ipcMain.handle('get-secrets', (e) => {
+  if (!validateSender(e.senderFrame)) return null;
+  return getSecrets();
+});
+
+function validateSender(frame) {
+  // Value the host of the URL using an actual URL parser and an allowlist
+  if ((new URL(frame.url)).host === 'electronjs.org') return true;
+  return false;
+}
+```
+
 [breaking-changes]: ../breaking-changes.md
 [browser-window]: ../api/browser-window.md
 [browser-view]: ../api/browser-view.md