Change Electron detection to be user agent based only #645
Conversation
|
What about a defensive check on the electron 5 line for process? We've been bitten by useragent checks before... |
|
I didn't dig this whole things up, but isn't the Electron check just to see if the app is loaded in drawio-desktop? If so, then maybe we should fail the check at all if |
Calyhre
force-pushed
the
fix/electron-detection
branch
from
4282c6d
to
4002057
Compare
|
I think it is, later the imports and URL handling are changed depending of this detection. There is no point of doing this if loaded from an |
|
OK, I see your point. I'm just thinking about an electron app with node integration enabled that loads draw.io in a web view. We've a lot of security controls based on the electron setting. I'll pull this change and leave this note here as a warning to future readers: If you load draw.io in an iFrame or WebView (I think process isn't there when node is disabled), you need to look at the places where we tighten security based on this flag. If you have the node integration enabled, you must not load the draw.io site as is. Third-party JS is loaded for some of the cloud integrations and if they were compromised the app could gain access to the local filesystem. |
The Electron detection is currently base on the presence of
window.processOR the user agent string.This works fine for the
mxIsElectron, but not for the Electron > 5 check as then we assumewindow.processis present. This is false forwebviewsandiframes. Draw.io is currently crashing if used inside aniframe, inside an Electron app.This PR change the Electron check to be based solely on the user agent string.