security: block chrome.tabs.executeScript() for non chrome-extension: URLs (#16124)

2026-04-10 03:01:51 -04:00 · 2018-12-20 18:43:30 -07:00
parent c24717a0b7
commit 0fef224f0f
1 changed files with 11 additions and 0 deletions
--- a/lib/browser/chrome-extension.js
+++ b/lib/browser/chrome-extension.js
@@ -201,7 +201,18 @@ ipcMain.on('CHROME_TABS_SEND_MESSAGE', function (event, tabId, extensionId, isBa
  resultID++
 })

+const isChromeExtension = function (pageURL) {
+  const { protocol } = url.parse(pageURL)
+  return protocol === 'chrome-extension:'
+}
+
 ipcMain.on('CHROME_TABS_EXECUTESCRIPT', function (event, requestId, tabId, extensionId, details) {
+  const pageURL = event.sender._getURL()
+  if (!isChromeExtension(pageURL)) {
+    console.error(`Blocked ${pageURL} from calling chrome.tabs.executeScript()`)
+    return
+  }
+
  const contents = webContents.fromId(tabId)
  if (!contents) {
    console.error(`Sending message to unknown tab ${tabId}`)