Skip to content

fix(security): harden Electron MCP navigation boundaries#3464

Merged
tatoalo merged 3 commits into
mainfrom
fix/harden-electron-mcp-navigation
Jul 15, 2026
Merged

fix(security): harden Electron MCP navigation boundaries#3464
tatoalo merged 3 commits into
mainfrom
fix/harden-electron-mcp-navigation

Conversation

@tatoalo

@tatoalo tatoalo commented Jul 15, 2026

Copy link
Copy Markdown
Contributor

Problem

our electron renderer trusted packaged file: navigation using an encoded pathname prefix and only observed main-frame navigation. Renderer subframes could therefore reach unsupported external protocols without passing through the validated host link launcher, while the persistent session retained Electron's default openExternal permission behavior.

Changes

  • allow main-frame navigation only to the exact renderer entry file
  • observe subframe navigation and block schemes that can leave the browser context, while preserving supported MCP sandbox and embedded web content
  • deny renderer-originated openExternal permission checks and requests for the persistent session
  • isolate packaged Electron tests with temporary user-data directories and add a real subframe-navigation regression test

@trunk-io

trunk-io Bot commented Jul 15, 2026

Copy link
Copy Markdown

😎 Merged manually by @tatoalo - details.

@github-actions

github-actions Bot commented Jul 15, 2026

Copy link
Copy Markdown

React Doctor found no issues in the changed files. 🎉

Reviewed by React Doctor for commit e2b5aae.

Comment thread apps/code/tests/e2e/tests/main-process.spec.ts Fixed
@tatoalo tatoalo self-assigned this Jul 15, 2026
@tatoalo tatoalo marked this pull request as ready for review July 15, 2026 10:39
@greptile-apps

greptile-apps Bot commented Jul 15, 2026

Copy link
Copy Markdown
Contributor

Reviews (1): Last reviewed commit: "fix(test): create Electron E2E user data..." | Re-trigger Greptile

@tatoalo tatoalo requested a review from a team July 15, 2026 11:21
@tatoalo tatoalo added the Stamphog This will request an autostamp by stamphog on small changes label Jul 15, 2026

@github-actions github-actions Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

All changes are strictly additive security hardening — tighter file-URL matching, subframe navigation allowlist, and session-level openExternal blocking. The resolved CodeQL alert was a false positive on a hardcoded test constant.

@tatoalo tatoalo merged commit 15fdbbb into main Jul 15, 2026
33 checks passed
@tatoalo tatoalo deleted the fix/harden-electron-mcp-navigation branch July 15, 2026 11:34
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Stamphog This will request an autostamp by stamphog on small changes

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants