Skip to content

Commit

Permalink
drop "hcaptcha.com" whitelisting as @ProtonMail switched to own captcha
Browse files Browse the repository at this point in the history
  • Loading branch information
vladimiry committed Sep 22, 2023
1 parent 8b54e69 commit 1176d5b
Show file tree
Hide file tree
Showing 2 changed files with 3 additions and 13 deletions.
2 changes: 1 addition & 1 deletion package.json
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
{
"name": "electron-mail",
"description": "Unofficial ProtonMail Desktop App",
"version": "5.2.0",
"version": "5.2.1",
"author": "Vladimir Yakovlev <desktop-app@protonmail.ch>",
"license": "GPL-3.0",
"homepage": "https://github.com/vladimiry/ElectronMail",
Expand Down
14 changes: 2 additions & 12 deletions src/electron-main/web-request/index.ts
Original file line number Diff line number Diff line change
Expand Up @@ -97,10 +97,8 @@ export function initWebRequestListenersByAccount(
const resolveAllowedOrigins = (url: Exclude<ReturnType<typeof resolveWebRequestUrl>, null>): readonly string [] => {
return reduceDuplicateItemsFromArray([
...[
...[
...STATIC_ALLOWED_ORIGINS,
...PROTON_API_SUBDOMAINS.map((subdomain) => resolveProtonApiOrigin({accountEntryUrl, subdomain})),
],
...STATIC_ALLOWED_ORIGINS,
...PROTON_API_SUBDOMAINS.map((subdomain) => resolveProtonApiOrigin({accountEntryUrl, subdomain})),
...(() => {
// - it has been noticed the at least "fra-storage/zrh-storage/storage" subdomains used by Proton for Drive service
// - interesting thing is that those subdomains are not hardcoded in the https://github.com/ProtonMail/WebClients code
Expand All @@ -117,14 +115,6 @@ export function initWebRequestListenersByAccount(
);
return isStorageSubdomain ? [url.origin] : [];
})(),
...(() => {
// the iframe page generated by /core/v4/captcha?Token=... request at least loads the following stuff:
// - script: https://hcaptcha.com/1/api.js?onload=loadCaptcha&render=explicit
// - subFrame: https://newassets.hcaptcha.com/captcha/v1/335f764/static/hcaptcha.html
// - possibly https://accounts.hcaptcha.com
// so whitelisting it with subdomains
return url.origin === "https://hcaptcha.com" || url.origin.endsWith(".hcaptcha.com") ? [url.origin]: [];
})(),
].map(parseUrlOriginWithNullishCheck),
]);
};
Expand Down

0 comments on commit 1176d5b

Please sign in to comment.