Lock down the app’s content security policy a bit more

app/src/browser/main.js

@@ -8,7 +8,9 @@ const fs = require('fs');
 fs.statSyncNoException = function(...args) {
   try {
     return fs.statSync.apply(fs, args);
-  } catch (e) {}
+  } catch (e) {
+    //pass
+  }
   return false;
 };
 
@@ -16,7 +18,7 @@ console.inspect = function consoleInspect(val) {
   console.log(util.inspect(val, true, 7, true));
 };
 
-const app = require('electron').app;
+const { app, session } = require('electron');
 const path = require('path');
 const mkdirp = require('mkdirp');
 
@@ -323,7 +325,7 @@ const start = () => {
     // Block remote JS execution in a second way in case our <meta> tag approach
     // is compromised somehow https://www.electronjs.org/docs/tutorial/security
     // This CSP string should match the one in app/static/index.html
-    require('electron').session.defaultSession.webRequest.onHeadersReceived((details, callback) => {
+    session.defaultSession.webRequest.onHeadersReceived((details, callback) => {
       if (details.url.startsWith('devtools://')) {
         return callback(details);
       }

app/src/components/webview.tsx

@@ -1,6 +1,5 @@
 import url from 'url';
 import React from 'react';
-import PropTypes from 'prop-types';
 import { shell } from 'electron';
 import ReactDOM from 'react-dom';
 import classnames from 'classnames';
@@ -233,7 +232,7 @@ export default class Webview extends React.Component<WebviewProps, WebviewState>
   render() {
     return (
       <div className="webview-wrap">
-        <webview ref="webview" partition="in-memory-only" />
+        <webview ref="webview" partition="in-memory-only" enableremotemodule="false" />
         <div className={`webview-loading-spinner loading-${this.state.webviewLoading}`}>
           <RetinaImg
             style={{ width: 20, height: 20 }}

app/static/db-migration.html

@@ -2,7 +2,7 @@
 <html style="background: #fff">
 <head>
   <title>Updating Mailspring Database...</title>
-  <meta http-equiv="Content-Security-Policy" content="default-src * mailspring:; script-src 'self' 'unsafe-eval' chrome-extension://react-developer-tools; style-src * 'unsafe-inline' mailspring:; img-src * data: mailspring: file:;">
+  <meta http-equiv="Content-Security-Policy" content="default-src * mailspring:; script-src 'self' chrome-extension://react-developer-tools; style-src * 'unsafe-inline' mailspring:; img-src * data: mailspring: file:;">
   <style>
     .progress {
       position: relative;

app/static/db-vacuum.html

@@ -2,7 +2,7 @@
 <html style="background: #fff">
 <head>
   <title>Preparing Mailspring...</title>
-  <meta http-equiv="Content-Security-Policy" content="default-src * mailspring:; script-src 'self' 'unsafe-eval' chrome-extension://react-developer-tools; style-src * 'unsafe-inline' mailspring:; img-src * data: mailspring: file:;">
+  <meta http-equiv="Content-Security-Policy" content="default-src * mailspring:; script-src 'self' chrome-extension://react-developer-tools; style-src * 'unsafe-inline' mailspring:; img-src * data: mailspring: file:;">
   <style>
     .progress {
       position: relative;

app/static/index.html

@@ -3,7 +3,7 @@
 <head>
   <title>Mailspring</title>
 
-  <meta http-equiv="Content-Security-Policy" content="default-src * mailspring:; script-src 'self' 'unsafe-inline' chrome-extension://react-developer-tools; style-src * 'unsafe-inline' mailspring:; img-src * data: mailspring: file:;">
+  <meta http-equiv="Content-Security-Policy" content="default-src * mailspring:; script-src 'self' chrome-extension://react-developer-tools; style-src * 'unsafe-inline' mailspring:; img-src * data: mailspring: file:;">
 
   <script src="index.js"></script>
 </head>