Filter requests in main process and block not allowed domains

[karliatto]

Currently suite is filtering all requests in the renderer process and blocking the ones that are to not allowed domains packages/suite-desktop/src/modules/request-filter.ts.

We did not have a way to filter requests in main process therefore we could not do it there but now that we have request-interceptor from request-manager package we can implement the same filter of domains for main process.

[mroz22]

going through old issues now. this seems to be security related and since @komret and @peter-sanderson were browsing this field, I am tagging them, whether this is something they want to push. I am sure @karliatto would be able to assist/explain his idea

[komret]

Yes, we can do this. I suppose the worst part is to put together the whitelist? Do you know which URLs should be allowed?

[karliatto]

Yes, we can do this. I suppose the worst part is to put together the whitelist? Do you know which URLs should be allowed?

Starting with 'trezor.io, 'localhost' and '127.0.0.1', also as URLs used for all the coins backends, and do a bit of research in the code and in the running app not to miss anything that is using the main process.

By looking at this list https://github.com/trezor/trezor-suite/blob/develop/packages/suite-desktop-core/src/config.ts I think some of the URLs there are not necessary in renderer anymore since the discovery in desktop is running in the main process.