New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: add new fuse to treat file: identically to browsers #40372
Conversation
9c3b23d
to
0e8324f
Compare
**Default:** Enabled | ||
**@electron/fuses:** `FuseV1Options.GrantFileProtocolExtraPrivileges` | ||
|
||
The grantFileProtocolExtraPrivileges fuse changes whether pages loaded from the `file://` protocol are given privileges beyond what they would receive in a traditional web browser. This behavior was core to Electron apps in original versions of Electron but is no longer required as apps should be [serving local files from custom protocols](./security.md#18-avoid-usage-of-the-file-protocol-and-prefer-usage-of-custom-protocols) now instead. If you aren't serving pages from `file://` you should disable this fuse. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This behavior was core to Electron apps in original versions of Electron but is no longer required as apps should be serving local files from custom protocols now instead.
Is there a specific major version that we want to mention?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't think so, this has been doable with custom protocols for long enough we don't need to specifically say when
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
API LGTM
API LGTM |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
API LGTM
Release Notes Persisted
|
Using a custom protocol to improve security is a great idea. Unfortunately we found that it breaks the React & Redux devtools. If anyone has a workaround please let me know. Without support for those tools we had to rollback our use of a custom protocol. |
A long standing gap between Electron and "The Web" has been are special treatment of
file://
URLs. This was handy during the early days but nowadays we have a good stable customprotocol
API that should supercede the usage of a "privileged"file://
protocol.This PR does a few things in one go:
file://
protocolfile://
protocolNotes: Added new Electron Fuse that opts the
file://
protocol into more secure and restrictive behaviour that matches Chromium