From e5998ce486599733bd89857402832b7bbb7bdebf Mon Sep 17 00:00:00 2001
From: Sergei Chestakov <me@sergei.com>
Date: Fri, 15 Mar 2024 09:15:52 -0400
Subject: [PATCH] Update window open handler to accept new allowlisted
 protocols (#152)

---
 src/createWindow.ts | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/src/createWindow.ts b/src/createWindow.ts
index 2bdc4ee..4594f66 100644
--- a/src/createWindow.ts
+++ b/src/createWindow.ts
@@ -177,8 +177,9 @@ export function createWindow(props?: WindowProps): BrowserWindow {
     try {
       const u = new URL(details.url);
 
-      // Don't open URLs with protocols other than http / https externally since they may open other apps.
-      if (u.protocol !== 'https:' && u.protocol !== 'http:') {
+      // Don't open URLs with protocols other than those we explicitly allow otherwise to prevent users
+      // from opening external apps and running untrusted code that could compromise their machines.
+      if (!EXTERNAL_PROTOCOLS_ALLOW_LIST.includes(u.protocol)) {
         return {
           action: 'deny',
         };
@@ -208,14 +209,13 @@ export function createWindow(props?: WindowProps): BrowserWindow {
 
     // Prevent navigation away from Replit or supported pages
     if (!isReplit || !isSupportedPage(u.pathname)) {
-      event.preventDefault();
-
       // Don't open URLs with protocols other than those we explicitly allow otherwise to prevent users
       // from opening external apps and running untrusted code that could compromise their machines.
       if (!EXTERNAL_PROTOCOLS_ALLOW_LIST.includes(u.protocol)) {
         return;
       }
 
+      event.preventDefault();
       shell.openExternal(navigationUrl);
     }
   });