-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathpreload.js
More file actions
58 lines (53 loc) · 1.56 KB
/
preload.js
File metadata and controls
58 lines (53 loc) · 1.56 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
// ============================================
// Preload Script - IPC Bridge
// ============================================
// With contextIsolation: true, we use contextBridge
// to safely expose APIs to the renderer.
const { contextBridge, ipcRenderer, shell } = require('electron');
// Whitelist of allowed IPC channels
const ALLOWED_CHANNELS = [
'open-project',
'set-project-path',
'get-screen-resolution',
'get-pictures-folders',
'get-folder-contents',
'get-thumbnail',
'get-image-path',
'export-to-map',
'get-maps',
'get-map-events',
'save-scene',
'load-scene',
'autosave-write',
'autosave-read',
'autosave-delete',
'autosave-exists'
];
// Check if dev mode
const isDev = process.argv.includes('--dev');
// Expose APIs to renderer via contextBridge
contextBridge.exposeInMainWorld('api', {
isDev,
// IPC invoke with channel validation
invoke: (channel, ...args) => {
if (ALLOWED_CHANNELS.includes(channel)) {
return ipcRenderer.invoke(channel, ...args);
}
return Promise.reject(new Error(`IPC channel "${channel}" is not allowed`));
},
// Shell operations (limited)
openExternal: (url) => {
// Only allow specific URLs
const allowedHosts = ['github.com'];
try {
const urlObj = new URL(url);
if (allowedHosts.some((host) => urlObj.hostname === host || urlObj.hostname.endsWith(`.${host}`))) {
return shell.openExternal(url);
}
} catch (_e) {
console.debug('Invalid URL:', url);
}
console.warn('Blocked attempt to open URL:', url);
return Promise.resolve();
}
});