Security: Electron setWindowOpenHandler Allows file:// and data: Protocol Loading

[rishab11250]

Summary

setWindowOpenHandler allows any URL not starting with http to load in the BrowserWindow including file://, data:, and ftp://. A compromised Flask response can read local files.

Location

main.js — setWindowOpenHandler, lines ~164-169

Risk

Local file read via renderer navigation. data: URLs can run arbitrary JS.

Proposed Fix

Change the final return from { action: 'allow' } to { action: 'deny' }.

[rishab11250]

Hey @siddu-k, please assign me these issues so that I can work on them.

[kunal-9090]

Hi @siddu-k, I would like to work on this under GSSoC'26.

Implementation plan:

• Update Electron setWindowOpenHandler to allow only safe external web protocols (http: / https:).
• Explicitly deny file://, data:, javascript:, and other unsafe schemes.
• Keep existing allowed external-link behavior through shell.openExternal.
• Verify the handler by static inspection and available project checks.

Could you please assign this to me if it is available?