search

4gray / iptvnator

:tv: Cross-platform IPTV player application with multiple features, such as support of m3u and m3u8 playlists, favorites, TV guide, TV archive/catchup and more.
https://iptvnator.vercel.app
MIT License
2.84k stars 385 forks source link

Limiting In-app Navigation and IPC Sender Verification #328

Open masood opened 12 months ago

masood commented 12 months ago

Summary: Thank you for designing the IPTVnator Desktop Application making it open-source and available. The application is very useful in managing playlists and provides a useful video player as well. We list pointers that can help make the application more secure.

  1. [Preventing In-app Navigation] Since the app loads remote content (playlists and videos), and exposes nodeIntegration, it will be useful to prevent all attempts at in-app navigation by adding a listener on will-navigate and a handler function on setWindowOpenHandler, and ensuring that the user intends navigation before allowing/denying such access on the user’s system.
  2. [IPC Sender Verification] Since the application uses custom IPC messages, it will be useful to add a verification of event.sender before responding with the playlist response. [Ref]

Thank you!

Platform(s) Affected: MacOS, Windows, Linux

– Mir Masood Ali, PhD student, University of Illinois Chicago Mohammad Ghasemisharif, PhD Candidate, University of Illinois Chicago Chris Kanich, Associate Professor, University of Illinois Chicago Jason Polakis, Associate Professor, University of Illinois Chicago

4gray commented 12 months ago

Sounds good, would appreciate a PR 👍