docs: Add recent Electron version to security checklist (#20206)
* docs: Add recent Electron version to security checklist * Update docs/tutorial/security.md Co-Authored-By: Mark Lee <malept@users.noreply.github.com> * Update docs/tutorial/security.md Co-Authored-By: Pedro Pontes <pepontes@microsoft.com> * Update docs/tutorial/security.md Co-Authored-By: Mark Lee <malept@users.noreply.github.com>
This commit is contained in:
parent
c485c1e4b0
commit
334ea36f38
1 changed files with 27 additions and 1 deletions
|
@ -43,7 +43,8 @@ When releasing your product, you’re also shipping a bundle composed of Electro
|
||||||
Chromium shared library and Node.js. Vulnerabilities affecting these components
|
Chromium shared library and Node.js. Vulnerabilities affecting these components
|
||||||
may impact the security of your application. By updating Electron to the latest
|
may impact the security of your application. By updating Electron to the latest
|
||||||
version, you ensure that critical vulnerabilities (such as *nodeIntegration bypasses*)
|
version, you ensure that critical vulnerabilities (such as *nodeIntegration bypasses*)
|
||||||
are already patched and cannot be exploited in your application.
|
are already patched and cannot be exploited in your application. For more information,
|
||||||
|
see "[Use a current version of Electron](#17-use-a-current-version-of-electron)".
|
||||||
|
|
||||||
* **Evaluate your dependencies.** While NPM provides half a million reusable packages,
|
* **Evaluate your dependencies.** While NPM provides half a million reusable packages,
|
||||||
it is your responsibility to choose trusted 3rd-party libraries. If you use outdated
|
it is your responsibility to choose trusted 3rd-party libraries. If you use outdated
|
||||||
|
@ -101,6 +102,7 @@ You should at least follow these steps to improve the security of your applicati
|
||||||
14. [Do not use `openExternal` with untrusted content](#14-do-not-use-openexternal-with-untrusted-content)
|
14. [Do not use `openExternal` with untrusted content](#14-do-not-use-openexternal-with-untrusted-content)
|
||||||
15. [Disable the `remote` module](#15-disable-the-remote-module)
|
15. [Disable the `remote` module](#15-disable-the-remote-module)
|
||||||
16. [Filter the `remote` module](#16-filter-the-remote-module)
|
16. [Filter the `remote` module](#16-filter-the-remote-module)
|
||||||
|
17. [Use a current version of Electron](#17-use-a-current-version-of-electron)
|
||||||
|
|
||||||
To automate the detection of misconfigurations and insecure patterns, it is
|
To automate the detection of misconfigurations and insecure patterns, it is
|
||||||
possible to use
|
possible to use
|
||||||
|
@ -830,6 +832,29 @@ app.on('remote-get-guest-web-contents', (event, webContents, guestWebContents) =
|
||||||
})
|
})
|
||||||
```
|
```
|
||||||
|
|
||||||
|
## 17) Use a current version of Electron
|
||||||
|
|
||||||
|
You should strive for always using the latest available version of Electron.
|
||||||
|
Whenever a new major version is released, you should attempt to update your
|
||||||
|
app as quickly as possible.
|
||||||
|
|
||||||
|
### Why?
|
||||||
|
|
||||||
|
An application built with an older version of Electron, Chromium, and Node.js
|
||||||
|
is an easier target than an application that is using more recent versions of
|
||||||
|
those components. Generally speaking, security issues and exploits for older
|
||||||
|
versions of Chromium and Node.js are more widely available.
|
||||||
|
|
||||||
|
Both Chromium and Node.js are impressive feats of engineering built by
|
||||||
|
thousands of talented developers. Given their popularity, their security is
|
||||||
|
carefully tested and analyzed by equally skilled security researchers. Many of
|
||||||
|
those researchers [disclose vulnerabilities responsibly][responsible-disclosure],
|
||||||
|
which generally means that researchers will give Chromium and Node.js some time
|
||||||
|
to fix issues before publishing them. Your application will be more secure if
|
||||||
|
it is running a recent version of Electron (and thus, Chromium and Node.js) for
|
||||||
|
which potential security issues are not as widely known.
|
||||||
|
|
||||||
|
|
||||||
[browser-window]: ../api/browser-window.md
|
[browser-window]: ../api/browser-window.md
|
||||||
[browser-view]: ../api/browser-view.md
|
[browser-view]: ../api/browser-view.md
|
||||||
[webview-tag]: ../api/webview-tag.md
|
[webview-tag]: ../api/webview-tag.md
|
||||||
|
@ -838,3 +863,4 @@ app.on('remote-get-guest-web-contents', (event, webContents, guestWebContents) =
|
||||||
[will-navigate]: ../api/web-contents.md#event-will-navigate
|
[will-navigate]: ../api/web-contents.md#event-will-navigate
|
||||||
[open-external]: ../api/shell.md#shellopenexternalurl-options-callback
|
[open-external]: ../api/shell.md#shellopenexternalurl-options-callback
|
||||||
[sandbox]: ../api/sandbox-option.md
|
[sandbox]: ../api/sandbox-option.md
|
||||||
|
[responsible-disclosure]: https://en.wikipedia.org/wiki/Responsible_disclosure
|
||||||
|
|
Loading…
Reference in a new issue