mirrors/electron
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages 1 Wiki Activity Actions 1

docs: security.md: Fix navigation lockdown example code (#14185)

Browse source 
The `url` module is not a constructor; change `require('url')` to
`require('url').URL`. Also, check the entire origin rather than just
the hostname, since otherwise `http://my-own-server.com` is allowed in
addition to `https://my-own-server.com`, in violation of point 1 (only
load secure content).

Signed-off-by: Anders Kaseorg <andersk@mit.edu>
This commit is contained in:
Anders Kaseorg 2018-08-18 22:41:55 -04:00 committed by Samuel Attard
parent dbee03d381
commit 466fe816d5
1 changed files with 2 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

4
docs/tutorial/security.md
View file

@ -612,13 +612,13 @@ sometimes be fooled - a `startsWith('https://google.com')` test would let
`https://google.com.attacker.com` through. `https://google.com.attacker.com` through.
```js ```js
const URL = require('url') const URL = require('url').URL
app.on('web-contents-created', (event, contents) => { app.on('web-contents-created', (event, contents) => {
contents.on('will-navigate', (event, navigationUrl) => { contents.on('will-navigate', (event, navigationUrl) => {
const parsedUrl = new URL(navigationUrl) const parsedUrl = new URL(navigationUrl)
if (parsedUrl.hostname !== 'my-own-server.com') { if (parsedUrl.origin !== 'https://my-own-server.com') {
event.preventDefault() event.preventDefault()
} }
}) })