update preload files

This commit is contained in:
Lynn Neir 2017-02-14 17:44:15 -08:00
parent 760252cef6
commit 074d73c712
6 changed files with 48 additions and 32 deletions

View File

@ -18,8 +18,8 @@ Build Instructions:
- to locally run mac version: npm run dev:mac
- to locally run windows (64 bit) version: npm run dev:win
- to build mac dmg: npm run dist-mac
- to build win exe installer (64 bit): npm run dist-win
- to build win exe installer (32 bit): npm run dist-win-x86
- to build win squirrel msi exe installer (64 bit): npm run dist-win
- to build win squirrel msi exe installer (32 bit): npm run dist-win-x86
to change the url start location, edit package.json and change 'homepage' variable.

View File

@ -1,24 +0,0 @@
// script run before others and still has access to node integration, even
// when turned off - allows us to leak only what want into window object.
// see: http://electron.atom.io/docs/api/browser-window/
//
// to leak some node module into:
// https://medium.com/@leonli/securing-embedded-external-content-in-electron-node-js-8b6ef665cd8e#.fex4e68p7
// https://slack.engineering/building-hybrid-applications-with-electron-dc67686de5fb#.tp6zz1nrk
//
// also to bring pieces of node.js:
// https://github.com/electron/electron/issues/2984
//
const { ipcRenderer } = require('electron');
// hold ref so doesn't get GC'ed
const local = {
ipcRenderer: ipcRenderer
};
// API exposed by Symphony to a child window:
window.SYM_API = {
};
Object.freeze(window.SYM_API);

View File

@ -1,3 +1,5 @@
'use strict';
const electron = require('electron');
const packageJSON = require('../package.json');
const menuTemplate = require('./menuTemplate.js');
@ -38,7 +40,7 @@ function createMainWindow () {
webPreferences: {
sandbox: true,
nodeIntegration: false,
preload: path.join(__dirname, '/main-preload.js'),
preload: path.join(__dirname, '/preload.js'),
winKey: key
}
});
@ -103,7 +105,7 @@ function storeWindowKey(key, browserWin) {
function isValidWindow(event) {
if (event && event.sender) {
// validate that event sender is from window we created
let browserWin = electron.BrowserWindow.fromWebContents(event.sender)
let browserWin = electron.BrowserWindow.fromWebContents(event.sender);
let winKey = event.sender.browserWindowOptions &&
event.sender.browserWindowOptions.webPreferences &&
event.sender.browserWindowOptions.webPreferences.winKey;
@ -117,6 +119,30 @@ function isValidWindow(event) {
return false;
}
/**
* Only permit certain cmds for some windows
* @param {EventEmitter} event node emitter event to be tested
* @param {String} cmd cmd name
* @return {Boolean} true if cmd is allowed for window, otherwise false
*/
function isCmdAllowed(event, cmd) {
if (event && event.sender && cmd) {
// validate that event sender is from window we created
let browserWin = electron.BrowserWindow.fromWebContents(event.sender);
if (browserWin === mainWindow) {
// allow all commands for main window
return true;
} else {
// allow only certain cmds for child windows
// e.g., open cmd not allowed for child windows
return (arg.cmd !== 'open');
}
}
return false;
}
/**
* Handle ipc messages from renderers. Only messages from windows we have
* created are allowed.
@ -127,6 +153,11 @@ electron.ipcMain.on('symphony-msg', (event, arg) => {
return;
}
if (!isCmdAllowed(event, arg && arg.cmd)) {
console.log('cmd is not allowed for this window: ' + arg.cmd);
return;
}
if (arg && arg.cmd === 'open' && arg.url) {
let width = arg.width || 1024;
let height = arg.height || 768;
@ -140,7 +171,7 @@ electron.ipcMain.on('symphony-msg', (event, arg) => {
webPreferences: {
sandbox: true,
nodeIntegration: false,
preload: path.join(__dirname, '/child-preload.js'),
preload: path.join(__dirname, '/preload.js'),
winKey: winKey
}
});

View File

@ -1,3 +1,5 @@
'use strict';
const template = [
{
label: 'Edit',

View File

@ -1,3 +1,5 @@
'use strict';
// script run before others and still has access to node integration, even
// when turned off - allows us to leak only what want into window object.
// see: http://electron.atom.io/docs/api/browser-window/
@ -17,8 +19,13 @@ const local = {
ipcRenderer: ipcRenderer
};
// API exposed by Symphony to main window:
// API exposed by Symphony to renderer processes:
// Note: certain cmds are only allowed on some windows, this is checked by
// main process.
window.SYM_API = {
version: '1.0.0', // api version
// only allowed by main window - enforced by main process.
openWindow: function(url) {
local.ipcRenderer.send('symphony-msg', {
cmd: 'open',