Validate protocol of opened external URLs

Not aware of any way that somebody could XSS a dangerous external URL into the
app invisibly, but it's good to protect against that possibility I think.

Author: pimterry

src/index.ts

@@ -202,24 +202,36 @@ if (!amMainInstance) {
         });
 
         // Redirect all navigations & new windows to the system browser
-        contents.on('will-navigate', (event, navigationUrl) => {
-            const parsedUrl = new URL(navigationUrl);
+        contents.on('will-navigate', handleNavigation);
+        contents.on('new-window', handleNavigation);
+    });
 
-            if (parsedUrl.origin !== APP_URL) {
-                event.preventDefault();
-                shell.openExternal(navigationUrl);
-            }
-        });
+    function handleNavigation(event: Electron.Event, navigationUrl: string) {
+        const parsedUrl = new URL(navigationUrl);
 
-        contents.on('new-window', (event, navigationUrl) => {
-            const parsedUrl = new URL(navigationUrl);
+        checkForUnsafeNavigation(parsedUrl);
 
-            if (parsedUrl.origin !== APP_URL) {
-                event.preventDefault();
-                shell.openExternal(navigationUrl);
-            }
-        });
-    });
+        if (!isLocalNavigation(parsedUrl)) {
+            event.preventDefault();
+            handleExternalNavigation(parsedUrl);
+        }
+    }
+
+    function checkForUnsafeNavigation(url: URL) {
+        if (url.protocol !== 'http:' && url.protocol !== 'https:') {
+            // This suggests an attempted XSS attack of some sort, report it:
+            const error = new Error(`Attempt to open a dangerous non-HTTP url: ${url}`);
+            throw error;
+        }
+    }
+
+    function isLocalNavigation(url: URL) {
+        return url.origin === APP_URL;
+    }
+
+    function handleExternalNavigation(url: URL) {
+        shell.openExternal(url.toString());
+    }
 
     function showErrorAlert(title: string, body: string) {
         console.warn(`${title}: ${body}`);