We read every piece of feedback, and take your input very seriously.
To see all available qualifiers, see our documentation.
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
In regards to securely handling custom protocols, the electron docs suggest preventing relative path traversal (https://www.electronjs.org/docs/latest/api/protocol#protocolhandlescheme-handler)
// NB, this checks for paths that escape the bundle, e.g. // app://bundle/../../secret_file.txt const pathToServe = path.resolve(__dirname, pathname) const relativePath = path.relative(__dirname, pathToServe) const isSafe = relativePath && !relativePath.startsWith('..') && !path.isAbsolute(relativePath) if (!isSafe) { return new Response('bad', { status: 400, headers: { 'content-type': 'text/html' } }) } return net.fetch(pathToFileURL(pathToServe).toString())
How does this compare to the current protocol handler https://github.com/reZach/secure-electron-template/blob/master/app/electron/protocol.js
Is there benefit to one over? I am happy to make a PR to add comments explaining the benefits or to consolidate on the the preferred option.
The text was updated successfully, but these errors were encountered:
No branches or pull requests
In regards to securely handling custom protocols, the electron docs suggest preventing relative path traversal (https://www.electronjs.org/docs/latest/api/protocol#protocolhandlescheme-handler)
How does this compare to the current protocol handler https://github.com/reZach/secure-electron-template/blob/master/app/electron/protocol.js
Is there benefit to one over? I am happy to make a PR to add comments explaining the benefits or to consolidate on the the preferred option.
The text was updated successfully, but these errors were encountered: