Skip to content
This repository was archived by the owner on Dec 11, 2019. It is now read-only.

Commit 9759cc3

Browse files
diracdeltasdiracdeltas
committed
Only allow whitelisted protocols to load in tor tabs
fix #14664
1 parent 3f8feb2 commit 9759cc3

File tree

1 file changed

+27
-5
lines changed

1 file changed

+27
-5
lines changed

app/filtering.js

+27-5
Original file line numberDiff line numberDiff line change
@@ -103,6 +103,13 @@ module.exports.registerHeadersReceivedFilteringCB = (filteringFn) => {
103103
headersReceivedFilteringFns.push(filteringFn)
104104
}
105105

106+
// Protocols which are safe to load in tor tabs
107+
const whitelistedTorProtocols = ['http:', 'https:', 'chrome-extension:', 'chrome-devtools:']
108+
if (process.env.NODE_ENV === 'development') {
109+
// Needed for connection to webpack local server
110+
whitelistedTorProtocols.push('ws:')
111+
}
112+
106113
/**
107114
* Register for notifications for webRequest.onBeforeRequest for a particular
108115
* session.
@@ -111,6 +118,26 @@ module.exports.registerHeadersReceivedFilteringCB = (filteringFn) => {
111118
function registerForBeforeRequest (session, partition) {
112119
const isPrivate = module.exports.isPrivate(partition)
113120
session.webRequest.onBeforeRequest((details, muonCb) => {
121+
if (partition === appConfig.tor.partition) {
122+
if (isMagnetURL(details)) {
123+
// Show a useful warning for magnet urls
124+
showTorrentBlockedInTorWarning(details, muonCb)
125+
return
126+
}
127+
if (!details.url) {
128+
muonCb({ cancel: true })
129+
return
130+
}
131+
// To minimize leakage risk, only allow whitelisted protocols in Tor
132+
// sessions
133+
const protocol = urlParse(details.url).protocol
134+
if (!whitelistedTorProtocols.includes(protocol)) {
135+
console.log('Blocked protocol from loading in tor tab:', protocol)
136+
muonCb({ cancel: true })
137+
return
138+
}
139+
}
140+
114141
if (process.env.NODE_ENV === 'development') {
115142
let page = appUrlUtil.getGenDir(details.url)
116143
if (page) {
@@ -136,11 +163,6 @@ function registerForBeforeRequest (session, partition) {
136163
return
137164
}
138165

139-
if ((isMagnetURL(details)) && partition === appConfig.tor.partition) {
140-
showTorrentBlockedInTorWarning(details, muonCb)
141-
return
142-
}
143-
144166
const firstPartyUrl = module.exports.getMainFrameUrl(details)
145167
// this can happen if the tab is closed and the webContents is no longer available
146168
if (!firstPartyUrl) {

0 commit comments

Comments
 (0)