New Electron Fuse `GrantFileProtocolExtraPrivileges` breaks `forge/plugin-webpack`'s (and potentially other plugins') entry points in production builds

[nathanlesage]

Pre-flight checklist

• [X] I have read the contribution documentation for this project.
• [X] I agree to follow the code of conduct that this project uses.
• [X] I have searched the issue tracker for a bug that matches the one I want to file, without success.

Electron Forge version

7.3.0

Electron version

29.0.1

Operating system

macOS Sonoma 14.3.1

Last known working Electron Forge version

N/A

Expected behavior

The Electron security recommendations state that we should serve all local files through custom protocols, and not use the file protocol. After the recent CVE-issue, I saw that Electron has added a new fuse to demote the file-protocol to a standard one without extra privileges.

This means that we should be able to overwrite the string constants that point to the various window entry points to use a custom protocol ourselves. This would mean a bit more boilerplate, but it should be fine. However, I was unable to find a way to provide a custom protocol setting for the Forge config, nor was there any indication in the docs of how to handle this.

Actual behavior

When building an app package with the fuse setting [FuseV1Options.GrantFileProtocolExtraPrivileges]: false, the window code will not load and the console will print an access error.

Enabling that fuse (i.e., granting the file protocol extra privileges) makes the entry points usable again.

Steps to reproduce

Use the webpack template, set the corresponding fuse, and build a full app. Attempt to run it, and observe the error appearing.

Additional information

No response

[MarshallOfSound]

The correct answer here is to use a custom protocol instead of file:// in packaged apps, raised #3511 accordingly

[nathanlesage]

Thank you! The PR looks good!