I have an Electron app that loads 3rd party code from local files installed on user's computer into a <webview> tag. Currently the webview is able to load any local file via absolute paths (file://...) or parent references (../../file.ext).
For security reason, I want to limit the webview's local files access to only the files inside a specific directory (where the html file is), and prevent it from accessing anything outside. Is it possible to do it in Electron?
I have found the solution myself: If you reference the html in webview's src attribute with file://... protocol, the webview will be able to access all the local files.
So the solution is instead of pointing directly to the html with file://... protocol, you should run a local web server that serves only the static files that you want the webview to have access to. When the webview's src is loaded using http(s)://..., Electron will automatically treat it like a normal web page, blocking access to all local files. Problem solved.