From fb2243a85fa11ac1a93f5a6b251c15739224a99b Mon Sep 17 00:00:00 2001 From: Evan Date: Sun, 29 Mar 2026 15:28:59 +0100 Subject: [PATCH] fix: resolve relative URLs in chrome.windows.create --- .../src/browser/api/common.ts | 14 +++++++++++ .../src/browser/api/tabs.ts | 24 ++++++------------- .../src/browser/api/windows.ts | 6 +++++ 3 files changed, 27 insertions(+), 17 deletions(-) diff --git a/packages/electron-chrome-extensions/src/browser/api/common.ts b/packages/electron-chrome-extensions/src/browser/api/common.ts index 998f8e6c..259fa1e1 100644 --- a/packages/electron-chrome-extensions/src/browser/api/common.ts +++ b/packages/electron-chrome-extensions/src/browser/api/common.ts @@ -36,6 +36,20 @@ export const getExtensionUrl = (extension: Electron.Extension, uri: string) => { } catch {} } +export const validateExtensionUrl = (url: string, extension: Electron.Extension) => { + try { + url = new URL(url, extension.url).href + } catch (e) { + throw new Error('Invalid URL') + } + + if (url.startsWith('chrome:') || url.startsWith('javascript:')) { + throw new Error('Invalid URL') + } + + return url +} + export const resolveExtensionPath = ( extension: Electron.Extension, uri: string, diff --git a/packages/electron-chrome-extensions/src/browser/api/tabs.ts b/packages/electron-chrome-extensions/src/browser/api/tabs.ts index 59afa87a..fb7025a4 100644 --- a/packages/electron-chrome-extensions/src/browser/api/tabs.ts +++ b/packages/electron-chrome-extensions/src/browser/api/tabs.ts @@ -1,27 +1,17 @@ import { ExtensionContext } from '../context' import { ExtensionEvent } from '../router' -import { getAllWindows, matchesPattern, matchesTitlePattern, TabContents } from './common' +import { + getAllWindows, + matchesPattern, + matchesTitlePattern, + TabContents, + validateExtensionUrl, +} from './common' import { WindowsAPI } from './windows' import debug from 'debug' const d = debug('electron-chrome-extensions:tabs') -const validateExtensionUrl = (url: string, extension: Electron.Extension) => { - // Convert relative URLs to absolute if needed - try { - url = new URL(url, extension.url).href - } catch (e) { - throw new Error('Invalid URL') - } - - // Prevent creating chrome://kill or other debug commands - if (url.startsWith('chrome:') || url.startsWith('javascript:')) { - throw new Error('Invalid URL') - } - - return url -} - export class TabsAPI { static TAB_ID_NONE = -1 static WINDOW_ID_NONE = -1 diff --git a/packages/electron-chrome-extensions/src/browser/api/windows.ts b/packages/electron-chrome-extensions/src/browser/api/windows.ts index 76ed5339..5790d8d9 100644 --- a/packages/electron-chrome-extensions/src/browser/api/windows.ts +++ b/packages/electron-chrome-extensions/src/browser/api/windows.ts @@ -1,5 +1,6 @@ import { ExtensionContext } from '../context' import { ExtensionEvent } from '../router' +import { validateExtensionUrl } from './common' import debug from 'debug' const d = debug('electron-chrome-extensions:windows') @@ -109,6 +110,11 @@ export class WindowsAPI { } private async create(event: ExtensionEvent, details: chrome.windows.CreateData) { + if (details.url) { + const urls = Array.isArray(details.url) ? details.url : [details.url] + const resolved = urls.map((u) => validateExtensionUrl(u, event.extension)) + details = { ...details, url: Array.isArray(details.url) ? resolved : resolved[0] } + } const win = await this.ctx.store.createWindow(event, details) return this.getWindowDetails(win) }