How can I verify the source of a <webview>.send message inside my <webview>?


I have an electron app which is simply a wrapper around a web app.

In my web app, I’d like to use <webview>.send to send a message to a handler inside the <webview>, but for various security reasons, I’d like to verify the source of the message to be the same page which created the <webview> in the first place (not any other possibly malicious attacker).

In the actual web app, postMessage can be used to check the MessageEvent.source attribute of the message.

However, there is no such information available in the event received by the <webview> using ipcRenderer.on(<message>, function(sender, event) {})

How can I verify who the sender of a <webview>.send event is?

I’m also open to other options for securing my message channel as well. The end goal is that my <webview> script and my app script can communicate and trust each other’s messages.

Full disclaimer: This is a copy of my SO post, but I figured this is a better more targeted audience :slight_smile: