From 5aebb5da1ead1a1eb9eeb125e6cadff2b6a3aec3 Mon Sep 17 00:00:00 2001
From: Ben Gotow <ben@foundry376.com>
Date: Mon, 15 Feb 2021 01:28:23 -0600
Subject: [PATCH] =?UTF-8?q?Lock=20down=20the=20app=E2=80=99s=20content=20s?=
 =?UTF-8?q?ecurity=20policy=20a=20bit=20more?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 app/src/browser/main.js        | 8 +++++---
 app/src/components/webview.tsx | 3 +--
 app/static/db-migration.html   | 2 +-
 app/static/db-vacuum.html      | 2 +-
 app/static/index.html          | 2 +-
 5 files changed, 9 insertions(+), 8 deletions(-)

diff --git a/app/src/browser/main.js b/app/src/browser/main.js
index ffef401cd..f762b80a8 100644
--- a/app/src/browser/main.js
+++ b/app/src/browser/main.js
@@ -8,7 +8,9 @@ const fs = require('fs');
 fs.statSyncNoException = function(...args) {
   try {
     return fs.statSync.apply(fs, args);
-  } catch (e) {}
+  } catch (e) {
+    //pass
+  }
   return false;
 };
 
@@ -16,7 +18,7 @@ console.inspect = function consoleInspect(val) {
   console.log(util.inspect(val, true, 7, true));
 };
 
-const app = require('electron').app;
+const { app, session } = require('electron');
 const path = require('path');
 const mkdirp = require('mkdirp');
 
@@ -323,7 +325,7 @@ const start = () => {
     // Block remote JS execution in a second way in case our <meta> tag approach
     // is compromised somehow https://www.electronjs.org/docs/tutorial/security
     // This CSP string should match the one in app/static/index.html
-    require('electron').session.defaultSession.webRequest.onHeadersReceived((details, callback) => {
+    session.defaultSession.webRequest.onHeadersReceived((details, callback) => {
       if (details.url.startsWith('devtools://')) {
         return callback(details);
       }
diff --git a/app/src/components/webview.tsx b/app/src/components/webview.tsx
index 21617fd2a..a98316b7b 100644
--- a/app/src/components/webview.tsx
+++ b/app/src/components/webview.tsx
@@ -1,6 +1,5 @@
 import url from 'url';
 import React from 'react';
-import PropTypes from 'prop-types';
 import { shell } from 'electron';
 import ReactDOM from 'react-dom';
 import classnames from 'classnames';
@@ -233,7 +232,7 @@ export default class Webview extends React.Component<WebviewProps, WebviewState>
   render() {
     return (
       <div className="webview-wrap">
-        <webview ref="webview" partition="in-memory-only" />
+        <webview ref="webview" partition="in-memory-only" enableremotemodule="false" />
         <div className={`webview-loading-spinner loading-${this.state.webviewLoading}`}>
           <RetinaImg
             style={{ width: 20, height: 20 }}
diff --git a/app/static/db-migration.html b/app/static/db-migration.html
index 03d605915..5c97a6ebd 100644
--- a/app/static/db-migration.html
+++ b/app/static/db-migration.html
@@ -2,7 +2,7 @@
 <html style="background: #fff">
 <head>
   <title>Updating Mailspring Database...</title>
-  <meta http-equiv="Content-Security-Policy" content="default-src * mailspring:; script-src 'self' 'unsafe-eval' chrome-extension://react-developer-tools; style-src * 'unsafe-inline' mailspring:; img-src * data: mailspring: file:;">
+  <meta http-equiv="Content-Security-Policy" content="default-src * mailspring:; script-src 'self' chrome-extension://react-developer-tools; style-src * 'unsafe-inline' mailspring:; img-src * data: mailspring: file:;">
   <style>
     .progress {
       position: relative;
diff --git a/app/static/db-vacuum.html b/app/static/db-vacuum.html
index 07ce0767c..cceaed26a 100644
--- a/app/static/db-vacuum.html
+++ b/app/static/db-vacuum.html
@@ -2,7 +2,7 @@
 <html style="background: #fff">
 <head>
   <title>Preparing Mailspring...</title>
-  <meta http-equiv="Content-Security-Policy" content="default-src * mailspring:; script-src 'self' 'unsafe-eval' chrome-extension://react-developer-tools; style-src * 'unsafe-inline' mailspring:; img-src * data: mailspring: file:;">
+  <meta http-equiv="Content-Security-Policy" content="default-src * mailspring:; script-src 'self' chrome-extension://react-developer-tools; style-src * 'unsafe-inline' mailspring:; img-src * data: mailspring: file:;">
   <style>
     .progress {
       position: relative;
diff --git a/app/static/index.html b/app/static/index.html
index 193487295..e0679ff40 100644
--- a/app/static/index.html
+++ b/app/static/index.html
@@ -3,7 +3,7 @@
 <head>
   <title>Mailspring</title>
 
-  <meta http-equiv="Content-Security-Policy" content="default-src * mailspring:; script-src 'self' 'unsafe-inline' chrome-extension://react-developer-tools; style-src * 'unsafe-inline' mailspring:; img-src * data: mailspring: file:;">
+  <meta http-equiv="Content-Security-Policy" content="default-src * mailspring:; script-src 'self' chrome-extension://react-developer-tools; style-src * 'unsafe-inline' mailspring:; img-src * data: mailspring: file:;">
 
   <script src="index.js"></script>
 </head>