From 82c24a826a6170ba5fdd5e32b48dfd3235a995b2 Mon Sep 17 00:00:00 2001 From: kolaente Date: Fri, 20 Mar 2026 10:06:48 +0100 Subject: [PATCH] fix(desktop): block same-window navigation to external origins --- desktop/main.js | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/desktop/main.js b/desktop/main.js index 472653ab5..f9698ff70 100644 --- a/desktop/main.js +++ b/desktop/main.js @@ -40,6 +40,17 @@ function createWindow() { return { action: 'deny' }; }); + // Prevent same-window navigation to external origins. + // Only allow navigation to the local express server. + mainWindow.webContents.on('will-navigate', (event, navigationUrl) => { + const parsedUrl = new URL(navigationUrl); + // Allow navigations to the local express server + if (parsedUrl.hostname === '127.0.0.1' || parsedUrl.hostname === 'localhost') { + return; + } + event.preventDefault(); + }); + // Hide the toolbar mainWindow.setMenuBarVisibility(false)