| 
									
										
										
										
											2020-10-13 23:11:06 +02:00
										 |  |  | import { IPC_MESSAGES } from '@electron/internal/common/ipc-messages'; | 
					
						
							| 
									
										
										
										
											2024-10-02 19:10:44 -07:00
										 |  |  | import { ipcRendererInternal } from '@electron/internal/renderer/ipc-renderer-internal'; | 
					
						
							| 
									
										
										
										
											2018-09-23 00:28:50 +12:00
										 |  |  | 
 | 
					
						
							| 
									
										
										
										
											2022-06-27 10:28:35 +02:00
										 |  |  | const { mainFrame: webFrame } = process._linkedBinding('electron_renderer_web_frame'); | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2019-02-16 17:06:30 -08:00
										 |  |  | let shouldLog: boolean | null = null; | 
					
						
							| 
									
										
										
										
											2018-02-03 06:50:12 -08:00
										 |  |  | 
 | 
					
						
							| 
									
										
										
										
											2019-06-02 13:03:03 -07:00
										 |  |  | const { platform, execPath, env } = process; | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2018-02-03 06:50:12 -08:00
										 |  |  | /** | 
					
						
							|  |  |  |  * This method checks if a security message should be logged. | 
					
						
							|  |  |  |  * It does so by determining whether we're running as Electron, | 
					
						
							|  |  |  |  * which indicates that a developer is currently looking at the | 
					
						
							|  |  |  |  * app. | 
					
						
							|  |  |  |  * | 
					
						
							|  |  |  |  * @returns {boolean} - Should we log? | 
					
						
							|  |  |  |  */ | 
					
						
							| 
									
										
										
										
											2019-02-16 17:06:30 -08:00
										 |  |  | const shouldLogSecurityWarnings = function (): boolean { | 
					
						
							| 
									
										
										
										
											2018-02-03 06:50:12 -08:00
										 |  |  |   if (shouldLog !== null) { | 
					
						
							|  |  |  |     return shouldLog; | 
					
						
							|  |  |  |   } | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  |   switch (platform) { | 
					
						
							|  |  |  |     case 'darwin': | 
					
						
							|  |  |  |       shouldLog = execPath.endsWith('MacOS/Electron') || | 
					
						
							|  |  |  |                   execPath.includes('Electron.app/Contents/Frameworks/'); | 
					
						
							|  |  |  |       break; | 
					
						
							|  |  |  |     case 'freebsd': | 
					
						
							|  |  |  |     case 'linux': | 
					
						
							|  |  |  |       shouldLog = execPath.endsWith('/electron'); | 
					
						
							|  |  |  |       break; | 
					
						
							|  |  |  |     case 'win32': | 
					
						
							|  |  |  |       shouldLog = execPath.endsWith('\\electron.exe'); | 
					
						
							|  |  |  |       break; | 
					
						
							|  |  |  |     default: | 
					
						
							|  |  |  |       shouldLog = false; | 
					
						
							|  |  |  |   } | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  |   if ((env && env.ELECTRON_DISABLE_SECURITY_WARNINGS) || | 
					
						
							|  |  |  |       (window && window.ELECTRON_DISABLE_SECURITY_WARNINGS)) { | 
					
						
							|  |  |  |     shouldLog = false; | 
					
						
							|  |  |  |   } | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  |   if ((env && env.ELECTRON_ENABLE_SECURITY_WARNINGS) || | 
					
						
							|  |  |  |       (window && window.ELECTRON_ENABLE_SECURITY_WARNINGS)) { | 
					
						
							|  |  |  |     shouldLog = true; | 
					
						
							|  |  |  |   } | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  |   return shouldLog; | 
					
						
							|  |  |  | }; | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | /** | 
					
						
							| 
									
										
										
										
											2018-08-07 20:40:21 -05:00
										 |  |  |  * Checks if the current window is remote. | 
					
						
							| 
									
										
										
										
											2018-02-03 06:50:12 -08:00
										 |  |  |  * | 
					
						
							|  |  |  |  * @returns {boolean} - Is this a remote protocol? | 
					
						
							|  |  |  |  */ | 
					
						
							|  |  |  | const getIsRemoteProtocol = function () { | 
					
						
							|  |  |  |   if (window && window.location && window.location.protocol) { | 
					
						
							|  |  |  |     return /^(http|ftp)s?/gi.test(window.location.protocol); | 
					
						
							|  |  |  |   } | 
					
						
							|  |  |  | }; | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2019-07-02 03:36:50 -07:00
										 |  |  | /** | 
					
						
							|  |  |  |  * Checks if the current window is from localhost. | 
					
						
							|  |  |  |  * | 
					
						
							|  |  |  |  * @returns {boolean} - Is current window from localhost? | 
					
						
							|  |  |  |  */ | 
					
						
							|  |  |  | const isLocalhost = function () { | 
					
						
							|  |  |  |   if (!window || !window.location) { | 
					
						
							|  |  |  |     return false; | 
					
						
							|  |  |  |   } | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  |   return window.location.hostname === 'localhost'; | 
					
						
							|  |  |  | }; | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2018-02-03 06:50:12 -08:00
										 |  |  | /** | 
					
						
							|  |  |  |  * Tries to determine whether a CSP without `unsafe-eval` is set. | 
					
						
							|  |  |  |  * | 
					
						
							|  |  |  |  * @returns {boolean} Is a CSP with `unsafe-eval` set? | 
					
						
							|  |  |  |  */ | 
					
						
							| 
									
										
										
										
											2021-10-25 14:11:24 -07:00
										 |  |  | const isUnsafeEvalEnabled = () => { | 
					
						
							|  |  |  |   return webFrame._isEvalAllowed(); | 
					
						
							| 
									
										
										
										
											2018-02-03 06:50:12 -08:00
										 |  |  | }; | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2018-10-03 21:36:12 +02:00
										 |  |  | const moreInformation = `\nFor more information and help, consult
 | 
					
						
							| 
									
										
										
										
											2019-06-18 09:59:02 -07:00
										 |  |  | https://electronjs.org/docs/tutorial/security.\nThis warning will not show up
 | 
					
						
							| 
									
										
										
										
											2018-10-03 21:36:12 +02:00
										 |  |  | once the app is packaged.`;
 | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2018-02-03 06:50:12 -08:00
										 |  |  | /** | 
					
						
							| 
									
										
										
										
											2018-10-03 21:36:12 +02:00
										 |  |  |  * #1 Only load secure content | 
					
						
							| 
									
										
										
										
											2018-02-03 06:50:12 -08:00
										 |  |  |  * | 
					
						
							| 
									
										
										
										
											2018-10-03 21:36:12 +02:00
										 |  |  |  * Checks the loaded resources on the current page and logs a | 
					
						
							|  |  |  |  * message about all resources loaded over HTTP or FTP. | 
					
						
							| 
									
										
										
										
											2018-02-03 06:50:12 -08:00
										 |  |  |  */ | 
					
						
							| 
									
										
										
										
											2018-10-03 21:36:12 +02:00
										 |  |  | const warnAboutInsecureResources = function () { | 
					
						
							|  |  |  |   if (!window || !window.performance || !window.performance.getEntriesByType) { | 
					
						
							|  |  |  |     return; | 
					
						
							| 
									
										
										
										
											2018-02-03 06:50:12 -08:00
										 |  |  |   } | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2021-09-20 23:47:54 -07:00
										 |  |  |   const isLocal = (url: URL): boolean => | 
					
						
							|  |  |  |     ['localhost', '127.0.0.1', '[::1]', ''].includes(url.hostname); | 
					
						
							|  |  |  |   const isInsecure = (url: URL): boolean => | 
					
						
							|  |  |  |     ['http:', 'ftp:'].includes(url.protocol) && !isLocal(url); | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2018-10-03 21:36:12 +02:00
										 |  |  |   const resources = window.performance | 
					
						
							|  |  |  |     .getEntriesByType('resource') | 
					
						
							| 
									
										
										
										
											2021-09-20 23:47:54 -07:00
										 |  |  |     .filter(({ name }) => isInsecure(new URL(name))) | 
					
						
							| 
									
										
										
										
											2018-10-03 21:36:12 +02:00
										 |  |  |     .map(({ name }) => `- ${name}`) | 
					
						
							|  |  |  |     .join('\n'); | 
					
						
							| 
									
										
										
										
											2018-02-03 06:50:12 -08:00
										 |  |  | 
 | 
					
						
							| 
									
										
										
										
											2018-10-03 21:36:12 +02:00
										 |  |  |   if (!resources || resources.length === 0) { | 
					
						
							|  |  |  |     return; | 
					
						
							|  |  |  |   } | 
					
						
							| 
									
										
										
										
											2018-02-03 06:50:12 -08:00
										 |  |  | 
 | 
					
						
							| 
									
										
										
										
											2018-10-03 21:36:12 +02:00
										 |  |  |   const warning = `This renderer process loads resources using insecure
 | 
					
						
							| 
									
										
										
										
											2019-06-17 23:21:30 +02:00
										 |  |  |   protocols. This exposes users of this app to unnecessary security risks. | 
					
						
							| 
									
										
										
										
											2019-06-18 09:59:02 -07:00
										 |  |  |   Consider loading the following resources over HTTPS or FTPS. \n${resources} | 
					
						
							|  |  |  |   \n${moreInformation}`;
 | 
					
						
							| 
									
										
										
										
											2018-02-03 06:50:12 -08:00
										 |  |  | 
 | 
					
						
							| 
									
										
										
										
											2018-10-03 21:36:12 +02:00
										 |  |  |   console.warn('%cElectron Security Warning (Insecure Resources)', | 
					
						
							|  |  |  |     'font-weight: bold;', warning); | 
					
						
							|  |  |  | }; | 
					
						
							| 
									
										
										
										
											2018-02-03 06:50:12 -08:00
										 |  |  | 
 | 
					
						
							| 
									
										
										
										
											2018-10-03 21:36:12 +02:00
										 |  |  | /** | 
					
						
							|  |  |  |  * #2 on the checklist: Disable the Node.js integration in all renderers that | 
					
						
							|  |  |  |  * display remote content | 
					
						
							|  |  |  |  * | 
					
						
							|  |  |  |  * Logs a warning message about Node integration. | 
					
						
							|  |  |  |  */ | 
					
						
							| 
									
										
										
										
											2019-02-16 17:06:30 -08:00
										 |  |  | const warnAboutNodeWithRemoteContent = function (nodeIntegration: boolean) { | 
					
						
							| 
									
										
										
										
											2019-07-02 03:36:50 -07:00
										 |  |  |   if (!nodeIntegration || isLocalhost()) return; | 
					
						
							| 
									
										
										
										
											2018-02-03 06:50:12 -08:00
										 |  |  | 
 | 
					
						
							| 
									
										
										
										
											2018-10-03 21:36:12 +02:00
										 |  |  |   if (getIsRemoteProtocol()) { | 
					
						
							|  |  |  |     const warning = `This renderer process has Node.js integration enabled
 | 
					
						
							|  |  |  |     and attempted to load remote content from '${window.location}'. This | 
					
						
							| 
									
										
										
										
											2019-06-18 09:59:02 -07:00
										 |  |  |     exposes users of this app to severe security risks.\n${moreInformation}`;
 | 
					
						
							| 
									
										
										
										
											2018-02-03 06:50:12 -08:00
										 |  |  | 
 | 
					
						
							| 
									
										
										
										
											2018-10-03 21:36:12 +02:00
										 |  |  |     console.warn('%cElectron Security Warning (Node.js Integration with Remote Content)', | 
					
						
							| 
									
										
										
										
											2018-02-03 06:50:12 -08:00
										 |  |  |       'font-weight: bold;', warning); | 
					
						
							| 
									
										
										
										
											2018-10-03 21:36:12 +02:00
										 |  |  |   } | 
					
						
							|  |  |  | }; | 
					
						
							| 
									
										
										
										
											2018-02-03 06:50:12 -08:00
										 |  |  | 
 | 
					
						
							| 
									
										
										
										
											2018-10-03 21:36:12 +02:00
										 |  |  | // Currently missing since it has ramifications and is still experimental:
 | 
					
						
							|  |  |  | //   #3 Enable context isolation in all renderers that display remote content
 | 
					
						
							|  |  |  | //
 | 
					
						
							|  |  |  | // Currently missing since we can't easily programmatically check for those cases:
 | 
					
						
							|  |  |  | //   #4 Use ses.setPermissionRequestHandler() in all sessions that load remote content
 | 
					
						
							| 
									
										
										
										
											2018-02-03 06:50:12 -08:00
										 |  |  | 
 | 
					
						
							| 
									
										
										
										
											2018-10-03 21:36:12 +02:00
										 |  |  | /** | 
					
						
							|  |  |  |  * #5 on the checklist: Do not disable websecurity | 
					
						
							|  |  |  |  * | 
					
						
							|  |  |  |  * Logs a warning message about disabled webSecurity. | 
					
						
							|  |  |  |  */ | 
					
						
							| 
									
										
										
										
											2019-02-16 17:06:30 -08:00
										 |  |  | const warnAboutDisabledWebSecurity = function (webPreferences?: Electron.WebPreferences) { | 
					
						
							| 
									
										
										
										
											2018-10-03 21:36:12 +02:00
										 |  |  |   if (!webPreferences || webPreferences.webSecurity !== false) return; | 
					
						
							| 
									
										
										
										
											2018-02-03 06:50:12 -08:00
										 |  |  | 
 | 
					
						
							| 
									
										
										
										
											2018-10-03 21:36:12 +02:00
										 |  |  |   const warning = `This renderer process has "webSecurity" disabled. This
 | 
					
						
							| 
									
										
										
										
											2019-06-18 09:59:02 -07:00
										 |  |  |   exposes users of this app to severe security risks.\n${moreInformation}`;
 | 
					
						
							| 
									
										
										
										
											2018-10-03 21:36:12 +02:00
										 |  |  | 
 | 
					
						
							|  |  |  |   console.warn('%cElectron Security Warning (Disabled webSecurity)', | 
					
						
							|  |  |  |     'font-weight: bold;', warning); | 
					
						
							|  |  |  | }; | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | /** | 
					
						
							|  |  |  |  * #6 on the checklist: Define a Content-Security-Policy and use restrictive | 
					
						
							|  |  |  |  * rules (i.e. script-src 'self') | 
					
						
							|  |  |  |  * | 
					
						
							|  |  |  |  * Logs a warning message about unset or insecure CSP | 
					
						
							|  |  |  |  */ | 
					
						
							|  |  |  | const warnAboutInsecureCSP = function () { | 
					
						
							| 
									
										
										
										
											2021-10-25 14:11:24 -07:00
										 |  |  |   if (!isUnsafeEvalEnabled()) return; | 
					
						
							| 
									
										
										
										
											2018-10-03 21:36:12 +02:00
										 |  |  | 
 | 
					
						
							| 
									
										
										
										
											2021-10-25 14:11:24 -07:00
										 |  |  |   const warning = `This renderer process has either no Content Security
 | 
					
						
							|  |  |  |   Policy set or a policy with "unsafe-eval" enabled. This exposes users of | 
					
						
							|  |  |  |   this app to unnecessary security risks.\n${moreInformation}`;
 | 
					
						
							| 
									
										
										
										
											2018-10-03 21:36:12 +02:00
										 |  |  | 
 | 
					
						
							| 
									
										
										
										
											2021-10-25 14:11:24 -07:00
										 |  |  |   console.warn('%cElectron Security Warning (Insecure Content-Security-Policy)', | 
					
						
							|  |  |  |     'font-weight: bold;', warning); | 
					
						
							| 
									
										
										
										
											2018-10-03 21:36:12 +02:00
										 |  |  | }; | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | /** | 
					
						
							| 
									
										
										
										
											2019-06-17 23:21:30 +02:00
										 |  |  |  * #7 on the checklist: Do not set allowRunningInsecureContent to true | 
					
						
							| 
									
										
										
										
											2018-10-03 21:36:12 +02:00
										 |  |  |  * | 
					
						
							|  |  |  |  * Logs a warning message about disabled webSecurity. | 
					
						
							|  |  |  |  */ | 
					
						
							| 
									
										
										
										
											2019-02-16 17:06:30 -08:00
										 |  |  | const warnAboutInsecureContentAllowed = function (webPreferences?: Electron.WebPreferences) { | 
					
						
							| 
									
										
										
										
											2018-10-03 21:36:12 +02:00
										 |  |  |   if (!webPreferences || !webPreferences.allowRunningInsecureContent) return; | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  |   const warning = `This renderer process has "allowRunningInsecureContent"
 | 
					
						
							|  |  |  |   enabled. This exposes users of this app to severe security risks.\n | 
					
						
							|  |  |  |   ${moreInformation}`;
 | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  |   console.warn('%cElectron Security Warning (allowRunningInsecureContent)', | 
					
						
							|  |  |  |     'font-weight: bold;', warning); | 
					
						
							|  |  |  | }; | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | /** | 
					
						
							| 
									
										
										
										
											2019-06-17 23:21:30 +02:00
										 |  |  |  * #8 on the checklist: Do not enable experimental features | 
					
						
							| 
									
										
										
										
											2018-10-03 21:36:12 +02:00
										 |  |  |  * | 
					
						
							|  |  |  |  * Logs a warning message about experimental features. | 
					
						
							|  |  |  |  */ | 
					
						
							| 
									
										
										
										
											2019-02-16 17:06:30 -08:00
										 |  |  | const warnAboutExperimentalFeatures = function (webPreferences?: Electron.WebPreferences) { | 
					
						
							| 
									
										
										
										
											2018-10-03 21:36:12 +02:00
										 |  |  |   if (!webPreferences || (!webPreferences.experimentalFeatures)) { | 
					
						
							|  |  |  |     return; | 
					
						
							|  |  |  |   } | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  |   const warning = `This renderer process has "experimentalFeatures" enabled.
 | 
					
						
							|  |  |  |   This exposes users of this app to some security risk. If you do not need | 
					
						
							| 
									
										
										
										
											2019-06-18 09:59:02 -07:00
										 |  |  |   this feature, you should disable it.\n${moreInformation}`;
 | 
					
						
							| 
									
										
										
										
											2018-10-03 21:36:12 +02:00
										 |  |  | 
 | 
					
						
							|  |  |  |   console.warn('%cElectron Security Warning (experimentalFeatures)', | 
					
						
							|  |  |  |     'font-weight: bold;', warning); | 
					
						
							|  |  |  | }; | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | /** | 
					
						
							| 
									
										
										
										
											2019-06-17 23:21:30 +02:00
										 |  |  |  * #9 on the checklist: Do not use enableBlinkFeatures | 
					
						
							| 
									
										
										
										
											2018-10-03 21:36:12 +02:00
										 |  |  |  * | 
					
						
							|  |  |  |  * Logs a warning message about enableBlinkFeatures | 
					
						
							|  |  |  |  */ | 
					
						
							| 
									
										
										
										
											2019-02-16 17:06:30 -08:00
										 |  |  | const warnAboutEnableBlinkFeatures = function (webPreferences?: Electron.WebPreferences) { | 
					
						
							|  |  |  |   if (!webPreferences || | 
					
						
							| 
									
										
										
										
											2023-06-27 22:57:33 +02:00
										 |  |  |     !Object.hasOwn(webPreferences, 'enableBlinkFeatures') || | 
					
						
							| 
									
										
										
										
											2021-02-18 19:11:35 +00:00
										 |  |  |     (webPreferences.enableBlinkFeatures != null && webPreferences.enableBlinkFeatures.length === 0)) { | 
					
						
							| 
									
										
										
										
											2018-10-03 21:36:12 +02:00
										 |  |  |     return; | 
					
						
							|  |  |  |   } | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  |   const warning = `This renderer process has additional "enableBlinkFeatures"
 | 
					
						
							|  |  |  |   enabled. This exposes users of this app to some security risk. If you do not | 
					
						
							| 
									
										
										
										
											2019-06-18 09:59:02 -07:00
										 |  |  |   need this feature, you should disable it.\n${moreInformation}`;
 | 
					
						
							| 
									
										
										
										
											2018-10-03 21:36:12 +02:00
										 |  |  | 
 | 
					
						
							|  |  |  |   console.warn('%cElectron Security Warning (enableBlinkFeatures)', | 
					
						
							|  |  |  |     'font-weight: bold;', warning); | 
					
						
							|  |  |  | }; | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | /** | 
					
						
							| 
									
										
										
										
											2019-06-17 23:21:30 +02:00
										 |  |  |  * #10 on the checklist: Do Not Use allowpopups | 
					
						
							| 
									
										
										
										
											2018-10-03 21:36:12 +02:00
										 |  |  |  * | 
					
						
							|  |  |  |  * Logs a warning message about allowed popups | 
					
						
							|  |  |  |  */ | 
					
						
							|  |  |  | const warnAboutAllowedPopups = function () { | 
					
						
							|  |  |  |   if (document && document.querySelectorAll) { | 
					
						
							|  |  |  |     const domElements = document.querySelectorAll('[allowpopups]'); | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  |     if (!domElements || domElements.length === 0) { | 
					
						
							| 
									
										
										
										
											2018-02-03 06:50:12 -08:00
										 |  |  |       return; | 
					
						
							|  |  |  |     } | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2018-10-03 21:36:12 +02:00
										 |  |  |     const warning = `A <webview> has "allowpopups" set to true. This exposes
 | 
					
						
							|  |  |  |     users of this app to some security risk, since popups are just | 
					
						
							|  |  |  |     BrowserWindows. If you do not need this feature, you should disable it.\n | 
					
						
							|  |  |  |     ${moreInformation}`;
 | 
					
						
							| 
									
										
										
										
											2018-02-03 06:50:12 -08:00
										 |  |  | 
 | 
					
						
							| 
									
										
										
										
											2018-10-03 21:36:12 +02:00
										 |  |  |     console.warn('%cElectron Security Warning (allowpopups)', | 
					
						
							| 
									
										
										
										
											2018-02-03 06:50:12 -08:00
										 |  |  |       'font-weight: bold;', warning); | 
					
						
							| 
									
										
										
										
											2018-10-03 21:36:12 +02:00
										 |  |  |   } | 
					
						
							|  |  |  | }; | 
					
						
							| 
									
										
										
										
											2018-02-03 06:50:12 -08:00
										 |  |  | 
 | 
					
						
							| 
									
										
										
										
											2018-10-03 21:36:12 +02:00
										 |  |  | // Currently missing since we can't easily programmatically check for it:
 | 
					
						
							| 
									
										
										
										
											2019-06-17 23:21:30 +02:00
										 |  |  | //   #11 Verify WebView Options Before Creation
 | 
					
						
							|  |  |  | //   #12 Disable or limit navigation
 | 
					
						
							|  |  |  | //   #13 Disable or limit creation of new windows
 | 
					
						
							|  |  |  | //   #14 Do not use `openExternal` with untrusted content
 | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2019-02-16 17:06:30 -08:00
										 |  |  | const logSecurityWarnings = function ( | 
					
						
							|  |  |  |   webPreferences: Electron.WebPreferences | undefined, nodeIntegration: boolean | 
					
						
							|  |  |  | ) { | 
					
						
							| 
									
										
										
										
											2018-10-03 21:36:12 +02:00
										 |  |  |   warnAboutNodeWithRemoteContent(nodeIntegration); | 
					
						
							|  |  |  |   warnAboutDisabledWebSecurity(webPreferences); | 
					
						
							|  |  |  |   warnAboutInsecureResources(); | 
					
						
							|  |  |  |   warnAboutInsecureContentAllowed(webPreferences); | 
					
						
							|  |  |  |   warnAboutExperimentalFeatures(webPreferences); | 
					
						
							|  |  |  |   warnAboutEnableBlinkFeatures(webPreferences); | 
					
						
							|  |  |  |   warnAboutInsecureCSP(); | 
					
						
							|  |  |  |   warnAboutAllowedPopups(); | 
					
						
							|  |  |  | }; | 
					
						
							| 
									
										
										
										
											2018-02-03 06:50:12 -08:00
										 |  |  | 
 | 
					
						
							| 
									
										
										
										
											2019-06-17 19:57:09 +02:00
										 |  |  | const getWebPreferences = async function () { | 
					
						
							| 
									
										
										
										
											2019-02-06 18:53:29 +01:00
										 |  |  |   try { | 
					
						
							| 
									
										
										
										
											2020-10-13 23:11:06 +02:00
										 |  |  |     return ipcRendererInternal.invoke<Electron.WebPreferences>(IPC_MESSAGES.BROWSER_GET_LAST_WEB_PREFERENCES); | 
					
						
							| 
									
										
										
										
											2019-02-06 18:53:29 +01:00
										 |  |  |   } catch (error) { | 
					
						
							|  |  |  |     console.warn(`getLastWebPreferences() failed: ${error}`); | 
					
						
							| 
									
										
										
										
											2018-02-03 06:50:12 -08:00
										 |  |  |   } | 
					
						
							| 
									
										
										
										
											2018-10-03 21:36:12 +02:00
										 |  |  | }; | 
					
						
							| 
									
										
										
										
											2018-02-03 06:50:12 -08:00
										 |  |  | 
 | 
					
						
							| 
									
										
										
										
											2021-11-10 01:59:33 +01:00
										 |  |  | export function securityWarnings (nodeIntegration: boolean) { | 
					
						
							| 
									
										
										
										
											2019-06-17 19:57:09 +02:00
										 |  |  |   const loadHandler = async function () { | 
					
						
							| 
									
										
										
										
											2018-10-03 21:36:12 +02:00
										 |  |  |     if (shouldLogSecurityWarnings()) { | 
					
						
							| 
									
										
										
										
											2019-06-17 19:57:09 +02:00
										 |  |  |       const webPreferences = await getWebPreferences(); | 
					
						
							| 
									
										
										
										
											2018-10-03 21:36:12 +02:00
										 |  |  |       logSecurityWarnings(webPreferences, nodeIntegration); | 
					
						
							|  |  |  |     } | 
					
						
							|  |  |  |   }; | 
					
						
							|  |  |  |   window.addEventListener('load', loadHandler, { once: true }); | 
					
						
							| 
									
										
										
										
											2018-02-03 06:50:12 -08:00
										 |  |  | } |