diff options
| author | Oskar Nyberg <oskar@mullvad.net> | 2020-12-18 15:39:47 +0100 |
|---|---|---|
| committer | Oskar Nyberg <oskar@mullvad.net> | 2020-12-18 15:39:47 +0100 |
| commit | a0af743382e4b06a3a884a90cd56d62ba70f67ba (patch) | |
| tree | d2aea1b35b21a785ed2a4068a97ccbb305da51f2 | |
| parent | e6a87dd7e49772e891405514db0483c909e576ac (diff) | |
| parent | 5f7b07c80f5037395f9aa0f8b169946d9eb2f640 (diff) | |
| download | mullvadvpn-a0af743382e4b06a3a884a90cd56d62ba70f67ba.tar.xz mullvadvpn-a0af743382e4b06a3a884a90cd56d62ba70f67ba.zip | |
Merge branch 'intercept-web-reqeusts'
| -rw-r--r-- | gui/src/main/index.ts | 33 |
1 files changed, 33 insertions, 0 deletions
diff --git a/gui/src/main/index.ts b/gui/src/main/index.ts index a2e9a0560a..2db95816a0 100644 --- a/gui/src/main/index.ts +++ b/gui/src/main/index.ts @@ -356,6 +356,8 @@ class ApplicationMain { // fetching. https://github.com/electron/electron/issues/22995 session.defaultSession.setSpellCheckerDictionaryDownloadURL('https://00.00/'); + this.blockRequests(); + this.updateCurrentLocale(); this.daemonRpc.addConnectionObserver( @@ -1362,6 +1364,37 @@ class ApplicationMain { } } + // Since the app frontend never performs any network requests, all requests originating from the + // renderer process are blocked to protect against the potential threat of malicious third party + // dependencies. There are a few exceptions which are described further down. + private blockRequests() { + session.defaultSession.webRequest.onBeforeRequest( + { urls: ['*://*/*'] }, + (details, callback) => { + if ( + process.env.NODE_ENV === 'development' && + // Local web server providing assests (index.html, index.js and css files) + (details.url.startsWith('http://localhost:8080/') || + // Automatic reloading performed by the browser-sync module + details.url.startsWith('http://localhost:35829/browser-sync/') || + // Downloading of React and Redux developer tools. + details.url.startsWith('https://clients2.google.com') || + details.url.startsWith('https://clients2.googleusercontent.com')) + ) { + callback({}); + } else { + log.error(`${details.method} request blocked: ${details.url}`); + callback({ cancel: true }); + + // Throw error in development to notify since this should never happen. + if (process.env.NODE_ENV === 'development') { + throw new Error('Web request blocked'); + } + } + }, + ); + } + private async installDevTools() { // eslint-disable-next-line @typescript-eslint/no-var-requires const installer = require('electron-devtools-installer'); |