From beb65b14c084192047b41f3f72260ea8010bc544 Mon Sep 17 00:00:00 2001
From: Scott Nonnenberg <scott@signal.org>
Date: Thu, 24 May 2018 12:13:16 -0700
Subject: [PATCH] Deny all permissions we don't actually need

---
 app/permissions.js | 33 +++++++++++++++++++++++++++++++++
 main.js            | 15 +++++++--------
 2 files changed, 40 insertions(+), 8 deletions(-)
 create mode 100644 app/permissions.js

diff --git a/app/permissions.js b/app/permissions.js
new file mode 100644
index 00000000000..6493034d539
--- /dev/null
+++ b/app/permissions.js
@@ -0,0 +1,33 @@
+// The list of permissions is here:
+//   https://electronjs.org/docs/api/session#sessetpermissionrequesthandlerhandler
+
+const PERMISSIONS = {
+  // Allowed
+  fullscreen: true, // required to show videos in full-screen
+  media: true, // required for access to microphone, used for voice notes
+  notifications: true, // required to show OS notifications for new messages
+
+  // Not allowed
+  geolocation: false,
+  midiSysex: false,
+  openExternal: false, // we don't need this; we open links via 'will-navigate' event
+  pointerLock: false,
+};
+
+function _permissionHandler(webContents, permission, callback) {
+  if (PERMISSIONS[permission]) {
+    console.log(`Approving request for permission '${permission}'`);
+    return callback(true);
+  }
+
+  console.log(`Denying request for permission '${permission}'`);
+  return callback(false);
+}
+
+function installPermissionsHandler({ session }) {
+  session.defaultSession.setPermissionRequestHandler(_permissionHandler);
+}
+
+module.exports = {
+  installPermissionsHandler,
+};
diff --git a/main.js b/main.js
index 81dd73eedef..b398283fc6f 100644
--- a/main.js
+++ b/main.js
@@ -6,12 +6,13 @@ const _ = require('lodash');
 const electron = require('electron');
 
 const {
-  BrowserWindow,
   app,
-  Menu,
-  shell,
+  BrowserWindow,
   ipcMain: ipc,
+  Menu,
   protocol: electronProtocol,
+  session,
+  shell,
 } = electron;
 
 const packageJson = require('./package.json');
@@ -27,6 +28,7 @@ const {
   installFileHandler,
   installWebHandler,
 } = require('./app/protocol_filter');
+const { installPermissionsHandler } = require('./app/permissions');
 
 GlobalErrors.addHandler();
 
@@ -306,11 +308,6 @@ function createWindow() {
 
   captureClicks(mainWindow);
 
-  mainWindow.webContents.on('will-navigate', event => {
-    logger.info('will-navigate');
-    event.preventDefault();
-  });
-
   // Emitted when the window is about to be closed.
   mainWindow.on('close', e => {
     // If the application is terminating, just do the default
@@ -460,6 +457,8 @@ app.on('ready', () => {
     protocol: electronProtocol,
   });
 
+  installPermissionsHandler({ session });
+
   // NOTE: Temporarily allow `then` until we convert the entire file to `async` / `await`:
   /* eslint-disable more/no-then */
   let loggingSetupError;