fix: better window hierarchy checks

This commit is contained in:
Samuel Attard 2020-01-18 16:13:30 -08:00
parent decbca734f
commit 8e368a046d
No known key found for this signature in database
GPG key ID: FB94249299E904FE

View file

@ -1,6 +1,7 @@
'use strict';
const electron = require('electron');
const nodeUrl = require('url');
const { BrowserWindow } = electron;
const { isSameOrigin } = process.electronBinding('v8_util');
const { ipcMainInternal } = require('@electron/internal/browser/ipc-main-internal');
@ -181,9 +182,8 @@ const isNodeIntegrationEnabled = function (sender) {
// Checks whether |sender| can access the |target|:
const canAccessWindow = function (sender, target) {
return isChildWindow(sender, target) ||
isScriptableWindow(sender, target) ||
isNodeIntegrationEnabled(sender);
return isScriptableWindow(sender, target) ||
(isChildWindow(sender, target) && isNodeIntegrationEnabled(sender));
};
// Routed window.open messages with raw options
@ -191,6 +191,12 @@ ipcMainInternal.on('ELECTRON_GUEST_WINDOW_MANAGER_WINDOW_OPEN', (event, url, fra
if (url == null || url === '') url = 'about:blank';
if (frameName == null) frameName = '';
if (features == null) features = '';
const parsedSourceURL = nodeUrl.parse(event.sender.getURL());
const parsedTargetURL = nodeUrl.parse(url);
if (parsedTargetURL.protocol === 'file:' && parsedSourceURL.protocol !== 'file:') {
event.returnValue = null;
return;
}
const options = {};