anaisbetts
commented
7 years ago This annoying bug is actually demonstrating a security feature of electron-compile - it's explicitly detecting that this file is not shipped with the application and refusing to load it. This check is done before the "Is the MIME Type suitable" check, so we will never load it.
The bug here is that for whatever reason, occasionally the event we put in to capture drop and prevent navigation, doesn't fire. So it tries to navigate the WebContents anyways.
wearhere
@paulcbetts may already be aware of this because I reported it to Slack support and they said the engineering team was working on it, but thought I'd report it here too.
Slack can crash when you drag in an image and hold-and-release the shift key too quickly:
That stack trace makes it look like electron-compile is trying to load the image. This seems unintentional insofar as its README just talks about loading JS, CSS, and HTML variants. (I see stuff about SVGs in other issues, but this was just a plain old PNG taken using the built-in OS X screenshot functionality.)
This also seems like a potential security issue insofar as Electron apps like Slack probably don't load user-provided/foreign JS/CSS/HTML, but do load user-provided/foreign images. So, if an application tried to load a file that contained JS, but had a PNG extension or was remotely served with an image mime type… could electron-compile be possibly tricked into executing arbitrary JavaScript?