Harden Electron renderer security

electron/ipc/handlers.ts

@@ -1,7 +1,7 @@
 import fs from "node:fs/promises";
 import { createRequire } from "node:module";
 import path from "node:path";
-import { fileURLToPath } from "node:url";
+import { fileURLToPath, pathToFileURL } from "node:url";
 
 const nodeRequire = createRequire(import.meta.url);
 
@@ -11,6 +11,8 @@ import {
 	desktopCapturer,
 	dialog,
 	ipcMain,
+	net,
+	protocol,
 	screen,
 	shell,
 	systemPreferences,
@@ -33,6 +35,7 @@ const PROJECT_FILE_EXTENSION = "openscreen";
 const SHORTCUTS_FILE = path.join(app.getPath("userData"), "shortcuts.json");
 const RECORDING_SESSION_SUFFIX = ".session.json";
 const ALLOWED_IMPORT_VIDEO_EXTENSIONS = new Set([".webm", ".mp4", ".mov", ".avi", ".mkv"]);
+const LOCAL_MEDIA_PROTOCOL = "openscreen-media";
 
 /**
  * Paths explicitly approved by the user via file picker dialogs or project loads.
@@ -79,6 +82,41 @@ function hasAllowedImportVideoExtension(filePath: string): boolean {
 	return ALLOWED_IMPORT_VIDEO_EXTENSIONS.has(path.extname(filePath).toLowerCase());
 }
 
+let localMediaProtocolRegistered = false;
+
+function parseLocalMediaPath(url: string): string | null {
+	try {
+		const parsed = new URL(url);
+		if (parsed.protocol !== `${LOCAL_MEDIA_PROTOCOL}:` || parsed.hostname !== "local") {
+			return null;
+		}
+		const encodedPath = parsed.pathname.replace(/^\/+/, "");
+		return encodedPath ? decodeURIComponent(encodedPath) : null;
+	} catch {
+		return null;
+	}
+}
+
+function registerLocalMediaProtocol() {
+	if (localMediaProtocolRegistered) return;
+
+	protocol.handle(LOCAL_MEDIA_PROTOCOL, async (request) => {
+		const requestedPath = parseLocalMediaPath(request.url);
+		const normalizedPath = normalizeVideoSourcePath(requestedPath);
+
+		if (
+			!normalizedPath ||
+			!isPathAllowed(normalizedPath) ||
+			!hasAllowedImportVideoExtension(normalizedPath)
+		) {
+			return new Response("Not found", { status: 404 });
+		}
+
+		return net.fetch(pathToFileURL(normalizedPath).toString());
+	});
+	localMediaProtocolRegistered = true;
+}
+
 async function approveReadableVideoPath(
 	filePath?: string | null,
 	trustedDirs?: string[],
@@ -486,6 +524,8 @@ export function registerIpcHandlers(
 	onRecordingStateChange?: (recording: boolean, sourceName: string) => void,
 	switchToHud?: () => void,
 ) {
+	registerLocalMediaProtocol();
+
 	const supportsWindowOpacity = process.platform !== "linux";
 	const countdownOverlayState = {
 		visible: false,

electron/main.ts

@@ -8,6 +8,7 @@ import {
 	ipcMain,
 	Menu,
 	nativeImage,
+	protocol,
 	session,
 	systemPreferences,
 	Tray,
@@ -82,11 +83,60 @@ let tray: Tray | null = null;
 let selectedSourceName = "";
 const isMac = process.platform === "darwin";
 const trayIconSize = isMac ? 16 : 24;
+const ALLOWED_MEDIA_PERMISSIONS = new Set([
+	"media",
+	"audioCapture",
+	"microphone",
+	"videoCapture",
+	"camera",
+]);
+const LOCAL_MEDIA_PROTOCOL = "openscreen-media";
+
+protocol.registerSchemesAsPrivileged([
+	{
+		scheme: LOCAL_MEDIA_PROTOCOL,
+		privileges: {
+			standard: true,
+			secure: true,
+			stream: true,
+			supportFetchAPI: true,
+		},
+	},
+]);
 
 // Tray Icons
 const defaultTrayIcon = getTrayIcon("openscreen.png", trayIconSize);
 const recordingTrayIcon = getTrayIcon("rec-button.png", trayIconSize);
 
+function isTrustedRendererUrl(url: string) {
+	if (!url) return false;
+
+	try {
+		const parsed = new URL(url);
+
+		if (VITE_DEV_SERVER_URL) {
+			return parsed.origin === new URL(VITE_DEV_SERVER_URL).origin;
+		}
+
+		if (parsed.protocol !== "file:") {
+			return false;
+		}
+
+		return path.normalize(fileURLToPath(parsed)) === path.join(RENDERER_DIST, "index.html");
+	} catch {
+		return false;
+	}
+}
+
+function isTrustedMediaPermissionRequest(
+	webContents: Electron.WebContents | null | undefined,
+	permission: string,
+) {
+	return (
+		ALLOWED_MEDIA_PERMISSIONS.has(permission) && isTrustedRendererUrl(webContents?.getURL() ?? "")
+	);
+}
+
 function createWindow() {
 	mainWindow = createHudOverlayWindow();
 }
@@ -377,15 +427,13 @@ app.on("activate", () => {
 
 // Register all IPC handlers when app is ready
 app.whenReady().then(async () => {
-	// Allow microphone/media permission checks
-	session.defaultSession.setPermissionCheckHandler((_webContents, permission) => {
-		const allowed = ["media", "audioCapture", "microphone", "videoCapture", "camera"];
-		return allowed.includes(permission);
-	});
+	// Allow capture permissions only for first-party renderer windows.
+	session.defaultSession.setPermissionCheckHandler((webContents, permission) =>
+		isTrustedMediaPermissionRequest(webContents, permission),
+	);
 
-	session.defaultSession.setPermissionRequestHandler((_webContents, permission, callback) => {
-		const allowed = ["media", "audioCapture", "microphone", "videoCapture", "camera"];
-		callback(allowed.includes(permission));
+	session.defaultSession.setPermissionRequestHandler((webContents, permission, callback) => {
+		callback(isTrustedMediaPermissionRequest(webContents, permission));
 	});
 
 	// Request microphone permission from macOS

electron/windows.ts

@@ -1,6 +1,6 @@
 import path from "node:path";
 import { fileURLToPath, pathToFileURL } from "node:url";
-import { BrowserWindow, ipcMain, screen } from "electron";
+import { BrowserWindow, ipcMain, screen, shell } from "electron";
 
 const __dirname = path.dirname(fileURLToPath(import.meta.url));
 
@@ -15,9 +15,59 @@ const ASSET_BASE_DIR = process.defaultApp
 	? path.join(__dirname, "..", "public")
 	: process.resourcesPath;
 const ASSET_BASE_URL_ARG = `--asset-base-url=${pathToFileURL(`${ASSET_BASE_DIR}${path.sep}`).toString()}`;
+const ALLOWED_EXTERNAL_PROTOCOLS = new Set(["http:", "https:", "mailto:"]);
 
 let hudOverlayWindow: BrowserWindow | null = null;
 
+function isRendererAppUrl(url: string) {
+	if (!url) return false;
+
+	try {
+		const parsed = new URL(url);
+
+		if (parsed.protocol === "about:") {
+			return parsed.href === "about:blank";
+		}
+
+		if (VITE_DEV_SERVER_URL) {
+			return parsed.origin === new URL(VITE_DEV_SERVER_URL).origin;
+		}
+
+		if (parsed.protocol !== "file:") {
+			return false;
+		}
+
+		return path.normalize(fileURLToPath(parsed)) === path.join(RENDERER_DIST, "index.html");
+	} catch {
+		return false;
+	}
+}
+
+function openExternalUrl(url: string) {
+	try {
+		const parsed = new URL(url);
+		if (ALLOWED_EXTERNAL_PROTOCOLS.has(parsed.protocol)) {
+			void shell.openExternal(parsed.toString());
+		}
+	} catch {
+		// Ignore malformed renderer-supplied URLs.
+	}
+}
+
+function configureNavigationGuards(win: BrowserWindow) {
+	win.webContents.setWindowOpenHandler(({ url }) => {
+		openExternalUrl(url);
+		return { action: "deny" };
+	});
+
+	win.webContents.on("will-navigate", (event, url) => {
+		if (isRendererAppUrl(url)) return;
+
+		event.preventDefault();
+		openExternalUrl(url);
+	});
+}
+
 ipcMain.on("hud-overlay-hide", () => {
 	if (hudOverlayWindow && !hudOverlayWindow.isDestroyed()) {
 		hudOverlayWindow.minimize();
@@ -63,6 +113,7 @@ export function createHudOverlayWindow(): BrowserWindow {
 			backgroundThrottling: false,
 		},
 	});
+	configureNavigationGuards(win);
 
 	// Follow the user across macOS Spaces (virtual desktops).
 	// Without this the HUD stays pinned to the Space it was first opened on.
@@ -121,10 +172,10 @@ export function createEditorWindow(): BrowserWindow {
 			additionalArguments: [ASSET_BASE_URL_ARG],
 			nodeIntegration: false,
 			contextIsolation: true,
-			webSecurity: false,
 			backgroundThrottling: false,
 		},
 	});
+	configureNavigationGuards(win);
 
 	// Maximize the window by default
 	win.maximize();
@@ -170,6 +221,7 @@ export function createSourceSelectorWindow(): BrowserWindow {
 			contextIsolation: true,
 		},
 	});
+	configureNavigationGuards(win);
 
 	// Follow the user across macOS Spaces so the selector appears on the
 	// active desktop regardless of where the HUD was originally opened.
@@ -223,6 +275,7 @@ export function createCountdownOverlayWindow(): BrowserWindow {
 			backgroundThrottling: false,
 		},
 	});
+	configureNavigationGuards(win);
 
 	win.setIgnoreMouseEvents(true);
 

index.html

@@ -1,8 +1,12 @@
 <!doctype html>
 <html lang="en">
   <head>
-    <meta charset="UTF-8" />
-    <link rel="icon" type="image/svg+xml" href="/vite.svg" />
+    <meta charset="UTF-8" />
+    <meta
+      http-equiv="Content-Security-Policy"
+      content="default-src 'self'; base-uri 'self'; object-src 'none'; script-src 'self' 'unsafe-eval' 'wasm-unsafe-eval'; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; img-src 'self' data: blob: file: https: http:; media-src 'self' data: blob: file: openscreen-media: https: http:; font-src 'self' data: https://fonts.gstatic.com; worker-src 'self' blob:; connect-src 'self' http://localhost:* http://127.0.0.1:* ws://localhost:* ws://127.0.0.1:*"
+    />
+    <link rel="icon" type="image/svg+xml" href="/vite.svg" />
     <meta name="viewport" content="width=device-width, initial-scale=1.0" />
     <title></title>
   </head>