Problem
IPC handlers accept requests from any sender without verifying origin. A compromised iframe or injected webview could call privileged IPC endpoints.
Solution
Check event.senderFrame.url in IPC handlers to ensure requests come from the app's own renderer:
function validateSender(event: Electron.IpcMainInvokeEvent): boolean {
const url = new URL(event.senderFrame.url);
return url.protocol === 'file:' || url.hostname === 'localhost';
}Apply as a wrapper or middleware to all ipcMain.handle callbacks.
Files
apps/electron/src/main/ipc-handlers.ts — add sender validation
References
Problem
IPC handlers accept requests from any sender without verifying origin. A compromised iframe or injected webview could call privileged IPC endpoints.
Solution
Check
event.senderFrame.urlin IPC handlers to ensure requests come from the app's own renderer:Apply as a wrapper or middleware to all
ipcMain.handlecallbacks.Files
apps/electron/src/main/ipc-handlers.ts— add sender validationReferences