From 27a4522d65fc6c39a750a4fde7a147819f3e965d Mon Sep 17 00:00:00 2001 From: Kevin Sawicki Date: Wed, 17 May 2017 13:56:19 -0700 Subject: [PATCH] Add will-attach-webview advice to security.md --- docs/api/webview-tag.md | 4 ---- docs/tutorial/security.md | 20 ++++++++++++++++++++ 2 files changed, 20 insertions(+), 4 deletions(-) diff --git a/docs/api/webview-tag.md b/docs/api/webview-tag.md index 610ecff4e362..c912791b7c12 100644 --- a/docs/api/webview-tag.md +++ b/docs/api/webview-tag.md @@ -15,10 +15,6 @@ between your app and embedded content will be asynchronous. This keeps your app safe from the embedded content. **Note:** Most methods called on the webview from the host page require a syncronous call to the main process. -For security purposes, `webview` can only be used in `BrowserWindow`s that have -`nodeIntegration` enabled. You can override this security restiction using -`overrideWebViewSecurity` option on [browser-window](browser-window.md). - ## Example To embed a web page in your app, add the `webview` tag to your app's embedder diff --git a/docs/tutorial/security.md b/docs/tutorial/security.md index 628edd84ed85..5b9fe2874723 100644 --- a/docs/tutorial/security.md +++ b/docs/tutorial/security.md @@ -77,6 +77,26 @@ This is not bulletproof, but at the least, you should attempt the following: * WebViews: Do not use `disablewebsecurity` * WebViews: Do not use `allowpopups` * WebViews: Do not use `insertCSS` or `executeJavaScript` with remote CSS/JS. +* WebViews: Verify the options and params of all `` tags before they + get attached using the `will-attach-webview` event: + +```js +app.on('web-contents-created', (event, contents) => { + contents.on('will-attach-webview', (event, webPreferences, params) => { + // Strip away preload scripts if unused or verify their location is legitimate + delete webPreferences.preload + delete webPreferences.preloadURL + + // Disable node integration + webPreferences.nodeIntegration = false + + // Verify URL being loaded + if (!params.src.startsWith('https://yourapp.com/')) { + event.preventDefault() + } + }) +}) +``` Again, this list merely minimizes the risk, it does not remove it. If your goal is to display a website, a browser will be a more secure option.