From acd748e01b7dc682784b439839da606009ada4c3 Mon Sep 17 00:00:00 2001
From: absidue <48293849+absidue@users.noreply.github.com>
Date: Thu, 25 Apr 2024 21:07:21 +0200
Subject: [PATCH] Only approve web API permission requests for permissions that
 FreeTube needs

---
 src/main/index.js | 39 +++++++++++++++++++++++++++++++++++++++
 1 file changed, 39 insertions(+)

diff --git a/src/main/index.js b/src/main/index.js
index c30abb574..7660ce575 100644
--- a/src/main/index.js
+++ b/src/main/index.js
@@ -286,6 +286,32 @@ function runApp() {
       })
     }
 
+    // Electron defaults to approving all permission checks and permission requests.
+    // FreeTube only needs a few permissions, so we reject requests for other permissions
+    // and reject all requests on non-FreeTube URLs.
+    //
+    // FreeTube needs the following permissions:
+    // - "fullscreen": So that the video player can enter full screen
+    // - "clipboard-sanitized-write": To allow the user to copy video URLs and error messages
+
+    session.defaultSession.setPermissionCheckHandler((webContents, permission, requestingOrigin) => {
+      if (!isFreeTubeUrl(requestingOrigin)) {
+        return false
+      }
+
+      return permission === 'fullscreen' || permission === 'clipboard-sanitized-write'
+    })
+
+    session.defaultSession.setPermissionRequestHandler((webContents, permission, callback) => {
+      if (!isFreeTubeUrl(webContents.getURL())) {
+        // eslint-disable-next-line n/no-callback-literal
+        callback(false)
+        return
+      }
+
+      callback(permission === 'fullscreen' || permission === 'clipboard-sanitized-write')
+    })
+
     let docArray
     try {
       docArray = await baseHandlers.settings._findAppReadyRelatedSettings()
@@ -547,6 +573,19 @@ function runApp() {
     }
   }
 
+  /**
+   * @param {string} urlString
+   */
+  function isFreeTubeUrl(urlString) {
+    const { protocol, host, pathname } = new URL(urlString)
+
+    if (process.env.NODE_ENV === 'development') {
+      return protocol === 'http:' && host === 'localhost:9080' && (pathname === '/' || pathname === '/index.html')
+    } else {
+      return protocol === 'app:' && host === 'bundle' && pathname === '/index.html'
+    }
+  }
+
   async function installDevTools() {
     try {
       /* eslint-disable */