Version 0.3.1 - Security fixes (#7)

* Fixes security issues

* Updates version number to 0.3.1

src/index.js

@@ -9,7 +9,8 @@ function createWindow() {
         width: windowWidth,
         height: height,
         webPreferences: {
-            nodeIntegration: true
+            nodeIntegration: false,
+            preload: path.join(app.getAppPath(), 'public/preload.js')
         },
         alwaysOnTop: true,
         frame: false,

src/package.json

@@ -1,6 +1,6 @@
 {
   "name": "liveapp-mvp",
-  "version": "0.3.0",
+  "version": "0.3.1",
   "private": true,
   "description": "A frontend for the WidgetBot discord bot",
   "main": "index.js",

src/public/index.html

@@ -3,6 +3,7 @@
 	<head>
 		<meta charset="utf-8">
 		<meta name="description" content="A frontend for the WidgetBot discord bot">
+		<meta http-equiv="Content-Security-Policy" content="script-src 'self';">
 		<link rel="stylesheet" href="style.css">
 		<link href="https://fonts.googleapis.com/css2?family=Ubuntu:wght@500&display=swap" rel="stylesheet">
 		<title>Live App</title>
@@ -25,6 +26,6 @@
 			server="238975753969074177" 
 			channel="718795219369328661">
 		</widgetbot>
-		<script src="https://cdn.jsdelivr.net/npm/@widgetbot/html-embed"></script>
+		<script src="thirdparty/widgetbot_html-embed.js"></script>
 	</body>
 </html>

src/public/preload.js

@@ -0,0 +1,5 @@
+const electron = require('electron');
+
+process.once('loaded', () => {
+  global.ipcRenderer = electron.ipcRenderer;
+});

src/public/titlebar.js

@@ -1,4 +1,7 @@
-const { ipcRenderer } = require('electron')
+// when no preloading is done, for pages with nodeIntegration enabled
+if (ipcRenderer === undefined) {
+    global.ipcRenderer = require('electron')
+}
 
 document.getElementById('minimize').addEventListener('click', () => ipcRenderer.send('minimizeWindow'))
 document.getElementById('close').addEventListener('click', () => ipcRenderer.send('closeWindow'))