Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

New Electron Fuse GrantFileProtocolExtraPrivileges breaks forge/plugin-webpack's (and potentially other plugins') entry points in production builds #3508

Open
3 tasks done
nathanlesage opened this issue Feb 24, 2024 · 2 comments · May be fixed by #3511
Open
3 tasks done

New Electron Fuse GrantFileProtocolExtraPrivileges breaks forge/plugin-webpack's (and potentially other plugins') entry points in production builds #3508

nathanlesage opened this issue Feb 24, 2024 · 2 comments · May be fixed by #3511

Comments

@nathanlesage
Copy link

Pre-flight checklist

  • I have read the contribution documentation for this project.
  • I agree to follow the code of conduct that this project uses.
  • I have searched the issue tracker for a bug that matches the one I want to file, without success.

Electron Forge version

7.3.0

Electron version

29.0.1

Operating system

macOS Sonoma 14.3.1

Last known working Electron Forge version

N/A

Expected behavior

The Electron security recommendations state that we should serve all local files through custom protocols, and not use the file protocol. After the recent CVE-issue, I saw that Electron has added a new fuse to demote the file-protocol to a standard one without extra privileges.

This means that we should be able to overwrite the string constants that point to the various window entry points to use a custom protocol ourselves. This would mean a bit more boilerplate, but it should be fine. However, I was unable to find a way to provide a custom protocol setting for the Forge config, nor was there any indication in the docs of how to handle this.

Actual behavior

When building an app package with the fuse setting [FuseV1Options.GrantFileProtocolExtraPrivileges]: false, the window code will not load and the console will print an access error.

Enabling that fuse (i.e., granting the file protocol extra privileges) makes the entry points usable again.

Steps to reproduce

Use the webpack template, set the corresponding fuse, and build a full app. Attempt to run it, and observe the error appearing.

Additional information

No response
MarshallOfSound added a commit that referenced this issue Feb 26, 2024
@MarshallOfSound
feat: add support for loading webpack assets via custom protocol
348fa90 
This is more secure than using file:// and aligns us with Electron
on the intention to stop making the file:// protocol special and powerful.

Fixes #3508
@MarshallOfSound MarshallOfSound linked a pull request Feb 26, 2024 that will close this issue
Draft
@MarshallOfSound
Copy link
Member

The correct answer here is to use a custom protocol instead of file:// in packaged apps, raised #3511 accordingly

@nathanlesage
Copy link
Author

Thank you! The PR looks good!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

feat: add support for loading webpack assets via custom protocol electron/forge
2 participants
@MarshallOfSound @nathanlesage