fix: newly spawned untrusted windows shouldnt have electon api injection at all

abose · abose · commit 67870a74af10 · 2026-01-29T09:30:30.000+05:30
diff --git a/src-electron/ipc-security.js b/src-electron/ipc-security.js
@@ -20,7 +20,7 @@ const _trustedWebContents = new Set();
  * - Dev stage: trustedElectronDomains + all localhost URLs
  * - Other stages: only trustedElectronDomains
  */
-function _isTrustedOrigin(url) {
+function isTrustedOrigin(url) {
     if (!url) return false;
 
     // Check against trustedElectronDomains
@@ -51,7 +51,7 @@ function _isTrustedOrigin(url) {
  */
 function updateTrustStatus(webContents) {
     const url = webContents.getURL();
-    if (_isTrustedOrigin(url)) {
+    if (isTrustedOrigin(url)) {
         _trustedWebContents.add(webContents.id);
     } else {
         _trustedWebContents.delete(webContents.id);
@@ -84,6 +84,7 @@ function assertTrusted(event) {
 }
 
 module.exports = {
+    isTrustedOrigin,
     updateTrustStatus,
     cleanupTrust,
     assertTrusted
diff --git a/src-electron/main-window-ipc.js b/src-electron/main-window-ipc.js
@@ -2,7 +2,7 @@ const { ipcMain, BrowserWindow, shell, clipboard } = require('electron');
 const path = require('path');
 const { spawn } = require('child_process');
 const { cleanupWindowTrust } = require('./main-cred-ipc');
-const { updateTrustStatus, cleanupTrust, assertTrusted } = require('./ipc-security');
+const { isTrustedOrigin, updateTrustStatus, cleanupTrust, assertTrusted } = require('./ipc-security');
 
 const PHOENIX_WINDOW_PREFIX = 'phcode-';
 const PHOENIX_EXTENSION_WINDOW_PREFIX = 'extn-';
@@ -91,8 +91,8 @@ function registerWindowIpcHandlers() {
             sandbox: true
         };
 
-        // Only inject preload for Phoenix windows, not extensions
-        if (!isExtension) {
+        // Only inject preload for Phoenix windows with trusted URLs, not extensions
+        if (!isExtension && isTrustedOrigin(url)) {
             webPreferences.preload = path.join(__dirname, 'preload.js');
         }
 
