feat: add new fuse to treat file: identically to browsers #40372
Conversation
9c3b23d to
0e8324f
Compare
| **Default:** Enabled | ||
| **@electron/fuses:** `FuseV1Options.GrantFileProtocolExtraPrivileges` | ||
|
|
||
| The grantFileProtocolExtraPrivileges fuse changes whether pages loaded from the `file://` protocol are given privileges beyond what they would receive in a traditional web browser. This behavior was core to Electron apps in original versions of Electron but is no longer required as apps should be [serving local files from custom protocols](./security.md#18-avoid-usage-of-the-file-protocol-and-prefer-usage-of-custom-protocols) now instead. If you aren't serving pages from `file://` you should disable this fuse. |
There was a problem hiding this comment.
This behavior was core to Electron apps in original versions of Electron but is no longer required as apps should be serving local files from custom protocols now instead.
Is there a specific major version that we want to mention?
There was a problem hiding this comment.
I don't think so, this has been doable with custom protocols for long enough we don't need to specifically say when
|
API LGTM |
|
Release Notes Persisted
|
|
Using a custom protocol to improve security is a great idea. Unfortunately we found that it breaks the React & Redux devtools. If anyone has a workaround please let me know. Without support for those tools we had to rollback our use of a custom protocol. |
| // NB, this checks for paths that escape the bundle, e.g. | ||
| // app://bundle/../../secret_file.txt | ||
| return net.fetch(pathToFileURL(join(__dirname, pathname)).toString()) | ||
| const pathToServe = path.resolve(__dirname, pathname) | ||
| const relativePath = path.relative(__dirname, pathToServe) | ||
| const isSafe = relativePath && !relativePath.startsWith('..') && !path.isAbsolute(relativePath) | ||
| if (!isSafe) { | ||
| return new Response('bad', { | ||
| status: 400, | ||
| headers: { 'content-type': 'text/html' } | ||
| }) | ||
| } |
There was a problem hiding this comment.
Is there any reason to check for relative paths here @MarshallOfSound? As far as I understand it's impossible to use relative paths in URLs.
e.g.
window.location = 'app://bundle/../../test.html' // navigates to app://bundle/test.html, skipping `..` segments
window.location = 'app://../../test.html' // navigates to app://../test.html, but `..` is not an allowed host.
A long standing gap between Electron and "The Web" has been are special treatment of
file://URLs. This was handy during the early days but nowadays we have a good stable customprotocolAPI that should supercede the usage of a "privileged"file://protocol.This PR does a few things in one go:
file://protocolfile://protocolNotes: Added new Electron Fuse that opts the
file://protocol into more secure and restrictive behaviour that matches Chromium