From 314ebc778cda5483cbdd29a831b50663267f6f2b Mon Sep 17 00:00:00 2001 From: Matt Bierner Date: Tue, 13 Jun 2017 11:20:38 -0700 Subject: [PATCH] Adding some validation --- src/vs/code/electron-main/app.ts | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/src/vs/code/electron-main/app.ts b/src/vs/code/electron-main/app.ts index 9d09792a65b..8effa87307f 100644 --- a/src/vs/code/electron-main/app.ts +++ b/src/vs/code/electron-main/app.ts @@ -48,6 +48,7 @@ import { isUndefinedOrNull } from "vs/base/common/types"; import { CodeWindow } from "vs/code/electron-main/window"; import { isEqual, isParent } from "vs/platform/files/common/files"; import { KeyboardLayoutMonitor } from "vs/code/electron-main/keyboard"; +import URI from 'vs/base/common/uri'; export class CodeApplication { private toDispose: IDisposable[]; @@ -119,6 +120,23 @@ export class CodeApplication { } }); + const isValidWebviewSource = (source: string) => + !source || (source.toLowerCase() as any).startsWith(URI.file(this.environmentService.appRoot.toLowerCase()).toString()); + + app.on('web-contents-created', (event, contents) => { + contents.on('will-attach-webview', (event, webPreferences, params) => { + delete webPreferences.preload; + webPreferences.nodeIntegration = false; + + // Verify URLs being loaded + if (isValidWebviewSource(params.src) && isValidWebviewSource(webPreferences.preloadURL)) { + return; + } + // Otherwise prevent loading + event.preventDefault(); + }); + }); + let macOpenFiles: string[] = []; let runningTimeout: number = null; app.on('open-file', (event: Event, path: string) => {