fix security issue (#68)

fixes #67

browser.js

@@ -1,12 +1,12 @@
 'use strict';
-/* globals Mousetrap scrollToTweet */
-const path = require('path');
 const electron = require('electron');
+const Mousetrap = require('./vendor/mousetrap.js');
+require('./vendor/mousetrap-global-bind.js');
+const scrollToTweet = require('./vendor/scroll-to-tweet.js');
 const ipc = electron.ipcRenderer;
 const remote = electron.remote;
 const storage = remote.require('./storage');
 const $ = document.querySelector.bind(document);
-// const $$ = document.querySelectorAll.bind(document);
 
 function changeTab(next) {
 	const pages = [
@@ -218,17 +218,6 @@ function zoomInit() {
 }
 
 document.addEventListener('DOMContentLoaded', () => {
-	// load vendor scripts
-	[
-		path.resolve('vendor/mousetrap.js'),
-		path.resolve('vendor/mousetrap-global-bind.js'),
-		path.resolve('vendor/scroll-to-tweet.js')
-	].forEach(src => {
-		const script = document.createElement('script');
-		script.textContent = `require('${src}')`;
-		document.head.appendChild(script);
-	});
-
 	zoomInit();
 
 	// enable OS specific styles

index.js

@@ -50,10 +50,7 @@ function createMainWindow() {
 		backgroundColor: isDarkMode ? '#192633' : '#fff',
 		webPreferences: {
 			preload: path.join(__dirname, 'browser.js'),
-			// removed until preloads accepts more than a single file
-			// ref: https://github.com/electron/electron/issues/5400
-			// nodeIntegration: false,
-			webSecurity: false,
+			nodeIntegration: false,
 			plugins: true
 		}
 	});

package.json

@@ -24,7 +24,7 @@
   },
   "devDependencies": {
     "electron-packager": "^7.0.0",
-    "electron-prebuilt": "^1.1.1",
+    "electron-prebuilt": "^1.1.2",
     "xo": "*"
   },
   "xo": {

vendor/scroll-to-tweet.js

@@ -54,4 +54,8 @@ Updates should happen there first.
 
 		window.scrollTo(0, scrollTarget);
 	};
+
+	if (typeof module !== 'undefined' && module.exports) {
+		module.exports = window.scrollToTweet;
+	}
 })();