From 8e368a046d67926f89936d5c64777cb883f2a4b7 Mon Sep 17 00:00:00 2001 From: Samuel Attard Date: Sat, 18 Jan 2020 16:13:30 -0800 Subject: [PATCH] fix: better window hierarchy checks --- lib/browser/guest-window-manager.js | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/lib/browser/guest-window-manager.js b/lib/browser/guest-window-manager.js index b9aaaa6ce5bc..35a1432d6563 100644 --- a/lib/browser/guest-window-manager.js +++ b/lib/browser/guest-window-manager.js @@ -1,6 +1,7 @@ 'use strict'; const electron = require('electron'); +const nodeUrl = require('url'); const { BrowserWindow } = electron; const { isSameOrigin } = process.electronBinding('v8_util'); const { ipcMainInternal } = require('@electron/internal/browser/ipc-main-internal'); @@ -181,9 +182,8 @@ const isNodeIntegrationEnabled = function (sender) { // Checks whether |sender| can access the |target|: const canAccessWindow = function (sender, target) { - return isChildWindow(sender, target) || - isScriptableWindow(sender, target) || - isNodeIntegrationEnabled(sender); + return isScriptableWindow(sender, target) || + (isChildWindow(sender, target) && isNodeIntegrationEnabled(sender)); }; // Routed window.open messages with raw options @@ -191,6 +191,12 @@ ipcMainInternal.on('ELECTRON_GUEST_WINDOW_MANAGER_WINDOW_OPEN', (event, url, fra if (url == null || url === '') url = 'about:blank'; if (frameName == null) frameName = ''; if (features == null) features = ''; + const parsedSourceURL = nodeUrl.parse(event.sender.getURL()); + const parsedTargetURL = nodeUrl.parse(url); + if (parsedTargetURL.protocol === 'file:' && parsedSourceURL.protocol !== 'file:') { + event.returnValue = null; + return; + } const options = {};