Open masood opened 11 months ago
Hey @masood thanks for sharing the issue, but the finding is not very realistic due to content-security-policy rules applied. Here is why; content security policy forces the browser for electron it's the chromium engine not to download any assets from the unknown domains, it's only a set of restricted domains where the app can download images, styles and js files.
But at the same time upgrading the electron version is a valid concern. Will be dealing with that at the very first convenience
And console is disabled for the end users, if it's opened by the user then probably someone is sitting in front of that computer so no one will be able to type window.open(any link)
Summary:
While the Excel Parser Desktop Application uses secure web preferences, it does not use event listeners that prevent in-app navigation. Moreover, the application can benefit from an update to the underlying Electron.js version.
Platform(s) Affected:
MacOS, Windows, Linux
Steps To Reproduce:
window.location=”https://attacker.com/”
. The application window navigates to the third-party site.window.open(“https://attacker.com/”)
. The application opens a new window with the third-party domain.nodeIntegration
and enablescontextIsolation
, it does not enablesandbox
. These features can be taken care of by the defaults of the latest Electron.js version.-- Mir Masood Ali, PhD student, University of Illinois at Chicago Mohammad Ghasemisharif, PhD Candidate, University of Illinois at Chicago Chris Kanich, Associate Professor, University of Illinois at Chicago Jason Polakis, Associate Professor, University of Illinois at Chicago