Prefix channels instead of hardcoding them?

[Natrium729]

First of all, thanks for this repo, it helped me wrap my head around preload.js scripts and such.

Now, my question. In preload-simple.js, it is written that you should always use hardcoded channels. I was wondering, are there any security issues to prefix channels instead of hardcoding (or filtering) them? For example:

function sendIPCMessage (channel, arg) {
  return ipcRenderer.sendSync(`secured-${channel}`, args);
}

With that, a malicious message cannot be sent (I suppose), since window.sendMessage('ELECTRON_BROWSER_GET_BUILTIN', 'app') will send the message on the "secured-ELECTRON_BROWSER_GET_BUILTIN channel instead.

Am I missing something? Because if that's not the case, then it would be way more flexible not to use hardcoded channels.

Thanks!

[kewde]

That would be equally secure as far as I know.

Isolated worlds was recently introduced so preload scripts have lost some of their interesting capabilities. I suggest looking at protocol handlers for a more interesting alternative.

I encountered a bug with them though, https://github.com/kewde/electron-sandbox-boilerplate/tree/bug-stream-protocol/sandbox-stream-protocol