update preload files

README.md

@@ -18,8 +18,8 @@ Build Instructions:
 - to locally run mac version: npm run dev:mac
 - to locally run windows (64 bit) version: npm run dev:win
 - to build mac dmg: npm run dist-mac
-- to build win exe installer (64 bit): npm run dist-win
+- to build win squirrel msi exe installer (64 bit): npm run dist-win
-- to build win exe installer (32 bit): npm run dist-win-x86
+- to build win squirrel msi exe installer (32 bit): npm run dist-win-x86
 
 to change the url start location, edit package.json and change 'homepage' variable.
 

js/child-preload.js

@@ -1,24 +0,0 @@
-// script run before others and still has access to node integration, even
-// when turned off - allows us to leak only what want into window object.
-// see: http://electron.atom.io/docs/api/browser-window/
-//
-// to leak some node module into:
-// https://medium.com/@leonli/securing-embedded-external-content-in-electron-node-js-8b6ef665cd8e#.fex4e68p7
-// https://slack.engineering/building-hybrid-applications-with-electron-dc67686de5fb#.tp6zz1nrk
-//
-// also to bring pieces of node.js:
-// https://github.com/electron/electron/issues/2984
-//
-
-const { ipcRenderer } = require('electron');
-
-// hold ref so doesn't get GC'ed
-const local = {
-    ipcRenderer: ipcRenderer
-};
-
-// API exposed by Symphony to a child window:
-window.SYM_API = {
-};
-
-Object.freeze(window.SYM_API);

js/main.js

@@ -1,3 +1,5 @@
+'use strict';
+
 const electron = require('electron');
 const packageJSON = require('../package.json');
 const menuTemplate = require('./menuTemplate.js');
@@ -38,7 +40,7 @@ function createMainWindow () {
         webPreferences: {
             sandbox: true,
             nodeIntegration: false,
-            preload: path.join(__dirname, '/main-preload.js'),
+            preload: path.join(__dirname, '/preload.js'),
             winKey: key
         }
     });
@@ -103,7 +105,7 @@ function storeWindowKey(key, browserWin) {
 function isValidWindow(event) {
     if (event && event.sender) {
         // validate that event sender is from window we created
-        let browserWin = electron.BrowserWindow.fromWebContents(event.sender)
+        let browserWin = electron.BrowserWindow.fromWebContents(event.sender);
         let winKey = event.sender.browserWindowOptions &&
             event.sender.browserWindowOptions.webPreferences &&
             event.sender.browserWindowOptions.webPreferences.winKey;
@@ -117,6 +119,30 @@ function isValidWindow(event) {
     return false;
 }
 
+/**
+ * Only permit certain cmds for some windows
+ * @param  {EventEmitter} event  node emitter event to be tested
+ * @param  {String}  cmd   cmd name
+ * @return {Boolean}       true if cmd is allowed for window, otherwise false
+ */
+function isCmdAllowed(event, cmd) {
+    if (event && event.sender && cmd) {
+        // validate that event sender is from window we created
+        let browserWin = electron.BrowserWindow.fromWebContents(event.sender);
+
+        if (browserWin === mainWindow) {
+            // allow all commands for main window
+            return true;
+        } else {
+            // allow only certain cmds for child windows
+            // e.g., open cmd not allowed for child windows
+            return (arg.cmd !== 'open');
+        }
+    }
+
+    return false;
+}
+
 /**
  * Handle ipc messages from renderers. Only messages from windows we have
  * created are allowed.
@@ -127,6 +153,11 @@ electron.ipcMain.on('symphony-msg', (event, arg) => {
         return;
     }
 
+    if (!isCmdAllowed(event, arg && arg.cmd)) {
+        console.log('cmd is not allowed for this window: ' + arg.cmd);
+        return;
+    }
+
     if (arg && arg.cmd === 'open' && arg.url) {
         let width = arg.width || 1024;
         let height = arg.height || 768;
@@ -140,7 +171,7 @@ electron.ipcMain.on('symphony-msg', (event, arg) => {
             webPreferences: {
                 sandbox: true,
                 nodeIntegration: false,
-                preload: path.join(__dirname, '/child-preload.js'),
+                preload: path.join(__dirname, '/preload.js'),
                 winKey: winKey
             }
         });

js/menuTemplate.js

@@ -1,3 +1,5 @@
+'use strict';
+
 const template = [
   {
     label: 'Edit',

js/preload.js

@@ -1,3 +1,5 @@
+'use strict';
+
 // script run before others and still has access to node integration, even
 // when turned off - allows us to leak only what want into window object.
 // see: http://electron.atom.io/docs/api/browser-window/
@@ -17,8 +19,13 @@ const local = {
     ipcRenderer: ipcRenderer
 };
 
-// API exposed by Symphony to main window:
+// API exposed by Symphony to renderer processes:
+// Note: certain cmds are only allowed on some windows, this is checked by
+// main process.
 window.SYM_API = {
+    version: '1.0.0', // api version
+
+    // only allowed by main window - enforced by main process.
     openWindow: function(url) {
         local.ipcRenderer.send('symphony-msg', {
             cmd: 'open',

package.json

@@ -12,8 +12,8 @@
     "dist-mac": "build --mac",
     "dist-win": "build --win --x64",
     "dist-win-x86": "build --win --ia32",
-	"win-unpacked": "build --win --x64 --dir",
+    "win-unpacked": "build --win --x64 --dir",
-	"win-x86-unpacked": "build --win --ia32 --dir"
+    "win-x86-unpacked": "build --win --ia32 --dir"
   },
   "build": {
     "appId": "symphony-electron-desktop",