diff --git a/docs/README.md b/docs/README.md index 5b6edf788b2b..bc5b3346b785 100644 --- a/docs/README.md +++ b/docs/README.md @@ -30,7 +30,7 @@ an issue: * [electron-forge](tutorial/boilerplates-and-clis.md#electron-forge) * [electron-builder](tutorial/boilerplates-and-clis.md#electron-builder) * [electron-react-boilerplate](tutorial/boilerplates-and-clis.md#electron-react-boilerplate) - * [Other Tools and Boilerplates](tutorial/boilerplates-and-clis.md#other-tools-and-boilerplates)\ + * [Other Tools and Boilerplates](tutorial/boilerplates-and-clis.md#other-tools-and-boilerplates) * [Application Architecture](tutorial/application-architecture.md) * [Main and Renderer Processes](tutorial/application-architecture.md#main-and-renderer-processes) * [Using Electron's APIs](tutorial/application-architecture.md#using-electron-apis) diff --git a/docs/tutorial/security.md b/docs/tutorial/security.md index 04fa64d43f36..8a19ada42815 100644 --- a/docs/tutorial/security.md +++ b/docs/tutorial/security.md @@ -521,7 +521,7 @@ A WebView created in a renderer process that does not have Node.js integration enabled will not be able to enable integration itself. However, a WebView will always create an independent renderer process with its own `webPreferences`. -It is a good idea to control the creation of new [`WebViews`](web-view) from +It is a good idea to control the creation of new [`WebViews`][web-view] from the main process and to verify that their webPreferences do not disable security features. @@ -533,11 +533,11 @@ website even if Node.js integration is otherwise disabled. Electron enables developers to disable various security features that control a renderer process. In most cases, developers do not need to disable any of those features - and you should therefore not allow different configurations -for newly created [``](web-view) tags. +for newly created [``][web-view] tags. ### How? -Before a [``](web-view) tag is attached, Electron will fire the +Before a [``][web-view] tag is attached, Electron will fire the `will-attach-webview` event on the hosting `webContents`. Use the event to prevent the creation of WebViews with possibly insecure options.