Disabling Electron webSecurity¶

ID: js/disabling-electron-websecurity
Kind: problem
Security severity: 6.1
Severity: error
Precision: very-high
Tags:
   - security
   - frameworks/electron
   - external/cwe/cwe-079
Query suites:
   - javascript-code-scanning.qls
   - javascript-security-extended.qls
   - javascript-security-and-quality.qls

Click to see the query in the CodeQL repository

Electron is secure by default through a same-origin policy requiring all JavaScript and CSS code to originate from the machine running the Electron application. Setting the webSecurity property of a webPreferences object to false will disable the same-origin policy.

Disabling the same-origin policy is strongly discouraged.

Recommendation¶

Do not disable webSecurity.

Example¶

The following example shows webSecurity being disabled.

const mainWindow = new BrowserWindow({
  webPreferences: {
    webSecurity: false
  }
})

This is problematic, since it allows the execution of insecure code from other domains.

References¶

Electron Documentation: Security, Native Capabilities, and Your Responsibility
Common Weakness Enumeration: CWE-79.

© GitHub, Inc.
Terms
Privacy

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.

Disabling Electron webSecurity¶

Recommendation¶

Example¶

References¶

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.