From 2257cd954273619a412d1123f6727e72bfabf56d Mon Sep 17 00:00:00 2001
From: sergeichestakov <me@sergei.com>
Date: Mon, 11 Mar 2024 14:40:00 -0700
Subject: [PATCH] Add vscode:// and replit:// to external protocol allowlist

---
 src/createWindow.ts | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/src/createWindow.ts b/src/createWindow.ts
index 5bb7365..2bdc4ee 100644
--- a/src/createWindow.ts
+++ b/src/createWindow.ts
@@ -122,6 +122,10 @@ function getPlatformSpecificStyling({
   return {};
 }
 
+const EXTERNAL_PROTOCOLS_ALLOW_LIST = ['http', 'https', 'replit', 'vscode'].map(
+  (p) => `${p}:`,
+);
+
 export function createWindow(props?: WindowProps): BrowserWindow {
   updateStoreWithFocusedWindowValues();
   const backgroundColor = store.getLastSeenBackgroundColor();
@@ -206,8 +210,9 @@ export function createWindow(props?: WindowProps): BrowserWindow {
     if (!isReplit || !isSupportedPage(u.pathname)) {
       event.preventDefault();
 
-      // Don't open URLs with protocols other than http / https externally since they may open other apps.
-      if (u.protocol !== 'https:' && u.protocol !== 'http:') {
+      // Don't open URLs with protocols other than those we explicitly allow otherwise to prevent users
+      // from opening external apps and running untrusted code that could compromise their machines.
+      if (!EXTERNAL_PROTOCOLS_ALLOW_LIST.includes(u.protocol)) {
         return;
       }