Add will-attach-webview advice to security.md

docs/api/webview-tag.md

@@ -15,10 +15,6 @@ between your app and embedded content will be asynchronous. This keeps your app
 safe from the embedded content. **Note:** Most methods called on the
 webview from the host page require a syncronous call to the main process.
 
-For security purposes, `webview` can only be used in `BrowserWindow`s that have
-`nodeIntegration` enabled. You can override this security restiction using
-`overrideWebViewSecurity` option on [browser-window](browser-window.md).
-
 ## Example
 
 To embed a web page in your app, add the `webview` tag to your app's embedder

docs/tutorial/security.md

@@ -77,6 +77,26 @@ This is not bulletproof, but at the least, you should attempt the following:
 * WebViews: Do not use `disablewebsecurity`
 * WebViews: Do not use `allowpopups`
 * WebViews: Do not use `insertCSS` or `executeJavaScript` with remote CSS/JS.
+* WebViews: Verify the options and params of all `<webview>` tags before they
+  get attached using the `will-attach-webview` event:
+
+```js
+app.on('web-contents-created', (event, contents) => {
+  contents.on('will-attach-webview', (event, webPreferences, params) => {
+    // Strip away preload scripts if unused or verify their location is legitimate
+    delete webPreferences.preload
+    delete webPreferences.preloadURL
+
+    // Disable node integration
+    webPreferences.nodeIntegration = false
+
+    // Verify URL being loaded
+    if (!params.src.startsWith('https://yourapp.com/')) {
+      event.preventDefault()
+    }
+  })
+})
+```
 
 Again, this list merely minimizes the risk, it does not remove it. If your goal
 is to display a website, a browser will be a more secure option.