Merge pull request #24 from acrosman/feature/security_tweaks_20210511

disables auxclick adds setPermissionRequestHandler
acrosman · May 12, 2021 · 993de86 · 993de86
2 parents 79cafc8 + 0679b45
commit 993de86
Showing 1 changed file with 11 additions and 0 deletions.
diff --git a/main.js b/main.js
@@ -5,6 +5,7 @@ const {
   app,
   BrowserWindow,
   ipcMain,
+  session,
 } = electron;
 
 // Developer Dependencies.
@@ -39,6 +40,7 @@ function createWindow() {
       nodeIntegration: false, // Disable nodeIntegration for security.
       nodeIntegrationInWorker: false,
       nodeIntegrationInSubFrames: false,
+      disableBlinkFeatures: 'Auxclick', // See: https://github.com/doyensec/electronegativity/wiki/AUXCLICK_JS_CHECK
       contextIsolation: true, // Enabling contextIsolation to protect against prototype pollution.
       worldSafeExecuteJavaScript: true, // https://github.com/electron/electron/pull/24712
       enableRemoteModule: false, // Turn off remote to avoid temptation.
@@ -59,6 +61,15 @@ function createWindow() {
     // when you should delete the corresponding element.
     mainWindow = null;
   });
+
+  // Lock down session permissions.
+  // https://www.electronjs.org/docs/tutorial/security#4-handle-session-permission-requests-from-remote-content
+  // https://github.com/doyensec/electronegativity/wiki/PERMISSION_REQUEST_HANDLER_GLOBAL_CHECK
+  session
+    .fromPartition('secured-partition')
+    .setPermissionRequestHandler((webContents, permission, callback) => {
+      callback(false);
+    });
 }
 
 // This method will be called when Electron has finished