Skip to content

Commit

Permalink
security: block chrome.tabs.executeScript() for non chrome-extension:…
Browse files Browse the repository at this point in the history 
… URLs (#15929)
  • Loading branch information
@miniak @alexeykuzmin
miniak authored and alexeykuzmin committed Dec 11, 2018
1 parent e044ada commit 607b53c
Showing 1 changed file with 11 additions and 0 deletions.
11 changes: 11 additions & 0 deletions lib/browser/chrome-extension.js
View file
Expand Up @@ -201,7 +201,18 @@ ipcMain.on('CHROME_TABS_SEND_MESSAGE', function (event, tabId, extensionId, isBa
resultID++
})

const isChromeExtension = function (pageURL) {
const { protocol } = url.parse(pageURL)
return protocol === 'chrome-extension:'
}

ipcMain.on('CHROME_TABS_EXECUTESCRIPT', function (event, requestId, tabId, extensionId, details) {
const pageURL = event.sender._getURL()
if (!isChromeExtension(pageURL)) {
console.error(`Blocked ${pageURL} from calling chrome.tabs.executeScript()`)
return
}

const contents = webContents.fromId(tabId)
if (!contents) {
console.error(`Sending message to unknown tab ${tabId}`)
Expand Down

0 comments on commit 607b53c

Please sign in to comment.