fix: don't forward IPC filtering events to app for dev-tools and exte…

…nsions (#16613)
electron · Jan 30, 2019 · 5d64df1 · 5d64df1
1 parent ae84620
commit 5d64df1
Showing 1 changed file with 14 additions and 1 deletion.
diff --git a/lib/browser/api/web-contents.js b/lib/browser/api/web-contents.js
@@ -358,6 +358,17 @@ const addReplyInternalToEvent = (event) => {
   })
 }
 
+const safeProtocols = new Set([
+  'chrome-devtools:',
+  'chrome-extension:'
+])
+
+const isWebContentsTrusted = function (contents) {
+  const pageURL = contents._getURL()
+  const { protocol } = url.parse(pageURL)
+  return safeProtocols.has(protocol)
+}
+
 // Add JavaScript wrappers for WebContents class.
 WebContents.prototype._init = function () {
   // The navigation controller.
@@ -428,7 +439,9 @@ WebContents.prototype._init = function () {
 
   for (const eventName of forwardedEvents) {
     this.on(eventName, (event, ...args) => {
-      app.emit(eventName, event, this, ...args)
+      if (!isWebContentsTrusted(event.sender)) {
+        app.emit(eventName, event, this, ...args)
+      }
     })
   }