Skip to content

Add IPC Sender Validation #40

@foxintheloop

Description

@foxintheloop

Problem

IPC handlers accept requests from any sender without verifying origin. A compromised iframe or injected webview could call privileged IPC endpoints.

Solution

Check event.senderFrame.url in IPC handlers to ensure requests come from the app's own renderer:

function validateSender(event: Electron.IpcMainInvokeEvent): boolean {
  const url = new URL(event.senderFrame.url);
  return url.protocol === 'file:' || url.hostname === 'localhost';
}

Apply as a wrapper or middleware to all ipcMain.handle callbacks.

Files

  • apps/electron/src/main/ipc-handlers.ts — add sender validation

References

Metadata

Metadata

Assignees

No one assigned

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions