docs: Use Node's URL parser in the 5th security recommendation (elect…

…ron#33463) Rule 13 recommends using Node's URL parser for handling url inputs. At the moment, this is not being followed in the code example for rule 5, which falls back on checking that the url ends with a '/'. If this was forgotten when a user copies this code it could introduce security vulnerabilities if an attacker uses an URL in the following way: "https://example.com.attacker.com" Using Node's URL parser fixes this potential missuse and enables the '/' to be omited from the code example. Co-authored-by: Baitinq <you@example.com>
solarwindscloud · Feb 22, 2023 · 2975591 · 2975591
1 parent 39b9ae0
commit 2975591
Showing 1 changed file with 3 additions and 2 deletions.
diff --git a/docs/tutorial/security.md b/docs/tutorial/security.md
@@ -279,19 +279,20 @@ security-conscious developers might want to assume the very opposite.
 
 ```js title='main.js (Main Process)'
 const { session } = require('electron')
+const URL = require('url').URL
 
 session
   .fromPartition('some-partition')
   .setPermissionRequestHandler((webContents, permission, callback) => {
-    const url = webContents.getURL()
+    const parsedUrl = new URL(webContents.getURL())
 
     if (permission === 'notifications') {
       // Approves the permissions request
       callback(true)
     }
 
     // Verify URL
-    if (!url.startsWith('https://example.com/')) {
+    if (parsedUrl.protocol !== 'https:' || parsedUrl.host !== 'example.com') {
       // Denies the permissions request
       return callback(false)
     }