freedomofpress/sunder

Drag and drop navigates to dropped file

Closed this issue · 0 comments

Bug

Description

Dragging and dropping a file into Sunder causes the BrowserWindow to navigate to that file, with no way to go back.

This also creates a potential security issue if one were to drop a malicious html document, as it inherits the permissions of the window, including access to node apis.

Steps to Reproduce

Run Sunder.
Drag and drop any file onto the window.

Expected Behavior

Either do nothing or select the file for sundering/rendering, depending on the state of the UI.

Actual Behavior

Renders the file. If it is an html file which contains malicious scripts or resources, they are loaded in an unsafe context (i.e., node integration enabled).

Comments

Define drag and drop handler on the window. If you don't intend to navigate away from app.html, for layered protection consider also:

mainWindow.webContents.on('will-navigate', function(e) {
  e.preventDefault();
});