diff --git a/.github/actions/spell-check/expect.txt b/.github/actions/spell-check/expect.txt
index 3e4486363a..0c7cc2a0e1 100644
--- a/.github/actions/spell-check/expect.txt
+++ b/.github/actions/spell-check/expect.txt
@@ -119,11 +119,13 @@ Aut
Authenticode
AUTHN
AUTHZ
+Autofill
autogenerate
autogenerated
AUTOHIDE
AUTOMATIONPROPERTIES
Autorun
+Autosave
Autostart
AUTOUPDATE
AValid
diff --git a/src/modules/previewpane/SvgPreviewHandler/SvgPreviewControl.cs b/src/modules/previewpane/SvgPreviewHandler/SvgPreviewControl.cs
index 5d5cefb234..ea2480a59a 100644
--- a/src/modules/previewpane/SvgPreviewHandler/SvgPreviewControl.cs
+++ b/src/modules/previewpane/SvgPreviewHandler/SvgPreviewControl.cs
@@ -38,6 +38,11 @@ namespace Microsoft.PowerToys.PreviewHandler.Svg
///
private const string VirtualHostName = "PowerToysLocalSvg";
+ ///
+ /// URI of the local file saved with the contents
+ ///
+ private Uri _localFileURI;
+
///
/// Gets the path of the current assembly.
///
@@ -162,6 +167,16 @@ namespace Microsoft.PowerToys.PreviewHandler.Svg
}
}
+ // Disable loading resources.
+ private void CoreWebView2_BlockExternalResources(object sender, CoreWebView2WebResourceRequestedEventArgs e)
+ {
+ // Show local file we've saved with the svg contents. Block all else.
+ if (new Uri(e.Request.Uri) != _localFileURI)
+ {
+ e.Response = _browser.CoreWebView2.Environment.CreateWebResourceResponse(null, 403, "Forbidden", null);
+ }
+ }
+
///
/// Adds a WebView2 Control to Control Collection.
///
@@ -171,9 +186,11 @@ namespace Microsoft.PowerToys.PreviewHandler.Svg
_browser = new WebView2();
_browser.Dock = DockStyle.Fill;
+ // Prevent new windows from being opened.
+ var webView2Options = new CoreWebView2EnvironmentOptions("--block-new-web-contents");
ConfiguredTaskAwaitable.ConfiguredTaskAwaiter
webView2EnvironmentAwaiter = CoreWebView2Environment
- .CreateAsync(userDataFolder: _webView2UserDataFolder)
+ .CreateAsync(userDataFolder: _webView2UserDataFolder, options: webView2Options)
.ConfigureAwait(true).GetAwaiter();
webView2EnvironmentAwaiter.OnCompleted(() =>
{
@@ -183,9 +200,19 @@ namespace Microsoft.PowerToys.PreviewHandler.Svg
{
_webView2Environment = webView2EnvironmentAwaiter.GetResult();
await _browser.EnsureCoreWebView2Async(_webView2Environment).ConfigureAwait(true);
- await _browser.CoreWebView2.AddScriptToExecuteOnDocumentCreatedAsync("window.addEventListener('contextmenu', window => {window.preventDefault();});");
- _browser.CoreWebView2.SetVirtualHostNameToFolderMapping(VirtualHostName, AssemblyDirectory, CoreWebView2HostResourceAccessKind.Allow);
+ _browser.CoreWebView2.SetVirtualHostNameToFolderMapping(VirtualHostName, AssemblyDirectory, CoreWebView2HostResourceAccessKind.Deny);
_browser.CoreWebView2.Settings.AreDefaultScriptDialogsEnabled = false;
+ _browser.CoreWebView2.Settings.AreDefaultContextMenusEnabled = false;
+ _browser.CoreWebView2.Settings.AreDevToolsEnabled = false;
+ _browser.CoreWebView2.Settings.AreHostObjectsAllowed = false;
+ _browser.CoreWebView2.Settings.IsGeneralAutofillEnabled = false;
+ _browser.CoreWebView2.Settings.IsPasswordAutosaveEnabled = false;
+ _browser.CoreWebView2.Settings.IsScriptEnabled = false;
+ _browser.CoreWebView2.Settings.IsWebMessageEnabled = false;
+
+ // Don't load any resources.
+ _browser.CoreWebView2.AddWebResourceRequestedFilter("*", CoreWebView2WebResourceContext.All);
+ _browser.CoreWebView2.WebResourceRequested += CoreWebView2_BlockExternalResources;
// WebView2.NavigateToString() limitation
// See https://docs.microsoft.com/en-us/dotnet/api/microsoft.web.webview2.core.corewebview2.navigatetostring?view=webview2-dotnet-1.0.864.35#remarks
@@ -194,7 +221,8 @@ namespace Microsoft.PowerToys.PreviewHandler.Svg
{
string filename = _webView2UserDataFolder + "\\" + Guid.NewGuid().ToString() + ".html";
File.WriteAllText(filename, svgData);
- _browser.Source = new Uri(filename);
+ _localFileURI = new Uri(filename);
+ _browser.Source = _localFileURI;
}
else
{
diff --git a/src/modules/previewpane/SvgThumbnailProvider/SvgThumbnailProvider.cs b/src/modules/previewpane/SvgThumbnailProvider/SvgThumbnailProvider.cs
index fd6c2d03de..8ba3841789 100644
--- a/src/modules/previewpane/SvgThumbnailProvider/SvgThumbnailProvider.cs
+++ b/src/modules/previewpane/SvgThumbnailProvider/SvgThumbnailProvider.cs
@@ -51,6 +51,11 @@ namespace Microsoft.PowerToys.ThumbnailHandler.Svg
///
private const string VirtualHostName = "PowerToysLocalSvgThumbnail";
+ ///
+ /// URI of the local file saved with the contents
+ ///
+ private Uri _localFileURI;
+
///
/// Gets the path of the current assembly.
///
@@ -126,9 +131,10 @@ namespace Microsoft.PowerToys.ThumbnailHandler.Svg
thumbnailDone = true;
};
+ var webView2Options = new CoreWebView2EnvironmentOptions("--block-new-web-contents");
ConfiguredTaskAwaitable.ConfiguredTaskAwaiter
webView2EnvironmentAwaiter = CoreWebView2Environment
- .CreateAsync(userDataFolder: _webView2UserDataFolder)
+ .CreateAsync(userDataFolder: _webView2UserDataFolder, options: webView2Options)
.ConfigureAwait(true).GetAwaiter();
webView2EnvironmentAwaiter.OnCompleted(async () =>
{
@@ -136,9 +142,26 @@ namespace Microsoft.PowerToys.ThumbnailHandler.Svg
{
_webView2Environment = webView2EnvironmentAwaiter.GetResult();
await _browser.EnsureCoreWebView2Async(_webView2Environment).ConfigureAwait(true);
- await _browser.CoreWebView2.AddScriptToExecuteOnDocumentCreatedAsync("window.addEventListener('contextmenu', window => {window.preventDefault();});");
- _browser.CoreWebView2.SetVirtualHostNameToFolderMapping(VirtualHostName, AssemblyDirectory, CoreWebView2HostResourceAccessKind.Allow);
+ _browser.CoreWebView2.SetVirtualHostNameToFolderMapping(VirtualHostName, AssemblyDirectory, CoreWebView2HostResourceAccessKind.Deny);
_browser.CoreWebView2.Settings.AreDefaultScriptDialogsEnabled = false;
+ _browser.CoreWebView2.Settings.AreDefaultContextMenusEnabled = false;
+ _browser.CoreWebView2.Settings.AreDevToolsEnabled = false;
+ _browser.CoreWebView2.Settings.AreHostObjectsAllowed = false;
+ _browser.CoreWebView2.Settings.IsGeneralAutofillEnabled = false;
+ _browser.CoreWebView2.Settings.IsPasswordAutosaveEnabled = false;
+ _browser.CoreWebView2.Settings.IsScriptEnabled = false;
+ _browser.CoreWebView2.Settings.IsWebMessageEnabled = false;
+
+ // Don't load any resources.
+ _browser.CoreWebView2.AddWebResourceRequestedFilter("*", CoreWebView2WebResourceContext.All);
+ _browser.CoreWebView2.WebResourceRequested += (object sender, CoreWebView2WebResourceRequestedEventArgs e) =>
+ {
+ // Show local file we've saved with the svg contents. Block all else.
+ if (new Uri(e.Request.Uri) != _localFileURI)
+ {
+ e.Response = _browser.CoreWebView2.Environment.CreateWebResourceResponse(null, 403, "Forbidden", null);
+ }
+ };
// WebView2.NavigateToString() limitation
// See https://docs.microsoft.com/en-us/dotnet/api/microsoft.web.webview2.core.corewebview2.navigatetostring?view=webview2-dotnet-1.0.864.35#remarks
@@ -147,7 +170,8 @@ namespace Microsoft.PowerToys.ThumbnailHandler.Svg
{
string filename = _webView2UserDataFolder + "\\" + Guid.NewGuid().ToString() + ".html";
File.WriteAllText(filename, wrappedContent);
- _browser.Source = new Uri(filename);
+ _localFileURI = new Uri(filename);
+ _browser.Source = _localFileURI;
}
else
{