Support the setWindowOpenHandler API in Electron 12+

[mitchchn]

Is your feature request related to a problem? Please describe.

Electron 12 has a new API to capture and prevent window creation, webContents.setWindowOpenHandler. See: https://www.electronjs.org/docs/tutorial/security#how-10.

The existing new-window event has been deprecated.

Describe the solution you'd like

LIMIT_NAVIGATION_JS_CHECK should detect the presence of the new handler API and treat it the same way as the new-window event, assuming it is an appropriate alternative (or addition).

Describe alternatives you've considered

It's possible to continue using the deprecated event. It is not entirely clear to me how these APIs interact when used together, or whether they are completely interchangeable .

[phosphore]

Hello Mitch! I added to the LIMIT_NAVIGATION_JS_CHECK check the support for setWindowOpenHandler. The change is live from v1.9.1. Let me know if it works for you.

About your question, the webContents.on("new-window") et al works fine in v12 and previous electron version, for the moment it's just marked as deprecated. Note that setWindowOpenHandler was sporadically working on v12 (electron/electron#27967):

As a temporary fix before #28498, for anyone looking to prevent navigations to untrusted origins it should still possible to use the web-contents-created event emitted when a new webContents is created and attach then your new-window, will-navigate, and setWindowOpenHandler handlers:

app.on('web-contents-created', (createEvent, contents) => {
  
  contents.on('new-window', newEvent => {
    console.log("Blocked by 'new-window'")
    newEvent.preventDefault();
  });
  
  contents.on('will-navigate', newEvent => {
    console.log("Blocked by 'will-navigate'")
    newEvent.preventDefault()
  });
  
  contents.setWindowOpenHandler(({ url }) => {
    if (url.startsWith("https://doyensec.com/")) {
      setImmediate(() => {
        shell.openExternal(url);
        });
      return { action: 'allow' }
    } else {
      console.log("Blocked by 'setWindowOpenHandler'")
      return { action: 'deny' }
    }
  })
  
});

Link to the Fiddle gist used for testing. This works from 12.0.0 to the latest 12.0.2 as for now.

Originally posted by @phosphore in electron/electron#27967 (comment)

[mscharley]

I'm still getting an error flagged in 1.9.1 from LIMIT_NAVIGATION_GLOBAL_CHECK when using setWindowOpenHandler as below:

    this._window.webContents.setWindowOpenHandler((details) => {
      if (this.isAllowedInternalNavigationUrl(details.url)) {
        return { action: 'allow' };
      } else {
        this.tryExternalNavigation(details.url);
        return { action: 'deny' };
      }
    });

[phosphore]

This should now be resolved with v1.10. The issue was solved in ElectroNG since its early releases, but now I've ported it to electronegativity.

[goosewobbler]

@phosphore This still seems to produce a warning (see the above PR), am I doing something wrong? Our usage of setWindowOpenHandler:
https://github.com/floating/frame/blob/develop/main/windows/window.ts#L41
https://github.com/floating/frame/blob/develop/main/windows/window.ts#L68
https://github.com/floating/frame/blob/develop/main/windows/index.ts#L383

[phosphore]

No, it LGTM. Could you try again with the latest d0d4445? Thanks for catching that.

[goosewobbler]

Thanks for the quick response, looks like it's fixed!