mirrors/electron
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages 1 Wiki Activity Actions 1

📝 Add to security checklist about permission requests

Browse source 
If the handler is not set, remote content can access to user's
information without allowing the permission. e.g. UserMedia
[ci skip]
This commit is contained in:
Yuya Ochiai 2017-01-20 23:50:10 +09:00
commit 11f2574fda
1 changed files with 1 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

1
docs/tutorial/security.md
View file

@ -58,6 +58,7 @@ This is not bulletproof, but at the least, you should attempt the following:
(setting `nodeIntegration` to `false` in `webPreferences`) (setting `nodeIntegration` to `false` in `webPreferences`)
* Enable context isolation in all renderers that display remote content * Enable context isolation in all renderers that display remote content
(setting `contextIsolation` to `true` in `webPreferences`) (setting `contextIsolation` to `true` in `webPreferences`)
* Use `ses.setPermissionRequestHandler()` in all sessions that load remote content
* Do not disable `webSecurity`. Disabling it will disable the same-origin policy. * Do not disable `webSecurity`. Disabling it will disable the same-origin policy.
* Define a [`Content-Security-Policy`](http://www.html5rocks.com/en/tutorials/security/content-security-policy/) * Define a [`Content-Security-Policy`](http://www.html5rocks.com/en/tutorials/security/content-security-policy/)
, and use restrictive rules (i.e. `script-src 'self'`) , and use restrictive rules (i.e. `script-src 'self'`)