diff --git a/package.json b/package.json index 31f9409..2f021d0 100644 --- a/package.json +++ b/package.json @@ -57,7 +57,7 @@ "tar": "^6.0.1" }, "hakDependencies": { - "matrix-seshat": "^2.2.1", + "matrix-seshat": "^2.2.2", "keytar": "^5.6.0" }, "build": { diff --git a/src/electron-main.js b/src/electron-main.js index 95d3a8f..132e49d 100644 --- a/src/electron-main.js +++ b/src/electron-main.js @@ -1,9 +1,8 @@ /* Copyright 2016 Aviral Dasgupta Copyright 2016 OpenMarket Ltd -Copyright 2018, 2019 New Vector Ltd Copyright 2017, 2019 Michael Telatynski <7t3chguy@gmail.com> -Copyright 2020 The Matrix.org Foundation C.I.C. +Copyright 2018 - 2021 New Vector Ltd Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. @@ -922,11 +921,7 @@ app.on('ready', async () => { nodeIntegration: false, //sandbox: true, // We enable sandboxing from app.enableSandbox() above enableRemoteModule: false, - // We don't use this: it's useful for the preload script to - // share a context with the main page so we can give select - // objects to the main page. The sandbox option isolates the - // main page from the background script. - contextIsolation: false, + contextIsolation: true, webgl: false, spellcheck: true, }, diff --git a/src/preload.js b/src/preload.js index 438093a..64849f5 100644 --- a/src/preload.js +++ b/src/preload.js @@ -1,5 +1,5 @@ /* -Copyright 2018, 2019 New Vector Ltd +Copyright 2018, 2019, 2021 New Vector Ltd Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. @@ -14,10 +14,58 @@ See the License for the specific language governing permissions and limitations under the License. */ -const { ipcRenderer, desktopCapturer } = require('electron'); +const { ipcRenderer, desktopCapturer, contextBridge } = require('electron'); -// expose ipcRenderer to the renderer process -window.ipcRenderer = ipcRenderer; +// Expose only expected IPC wrapper APIs to the renderer process to avoid +// handing out generalised messaging access. -// expose desktopCapturer to the render process to make screen-sharing work -global.desktopCapturer = desktopCapturer; +const CHANNELS = [ + "app_onAction", + "before-quit", + "check_updates", + "install_update", + "ipcCall", + "ipcReply", + "loudNotification", + "preferences", + "seshat", + "seshatReply", + "setBadgeCount", + "update-downloaded", + "userDownloadCompleted", + "userDownloadOpen", +]; + +contextBridge.exposeInMainWorld( + "electron", + { + on(channel, listener) { + if (!CHANNELS.includes(channel)) { + console.error(`Unknown IPC channel ${channel} ignored`); + return; + } + ipcRenderer.on(channel, listener); + }, + send(channel, ...args) { + if (!CHANNELS.includes(channel)) { + console.error(`Unknown IPC channel ${channel} ignored`); + return; + } + ipcRenderer.send(channel, ...args); + }, + async getDesktopCapturerSources(options) { + const sources = await desktopCapturer.getSources(options); + const desktopCapturerSources = []; + + for (const source of sources) { + desktopCapturerSources.push({ + id: source.id, + name: source.name, + thumbnailURL: source.thumbnail.toDataURL(), + }); + } + + return desktopCapturerSources; + }, + }, +);