mirrors/electron
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

📝 eval()

Browse source
This commit is contained in:
Felix Rieseberg 2018-01-29 11:02:52 -08:00
parent c793ee3aeb
commit 5418866e87
1 changed files with 25 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

25
docs/tutorial/security.md
View file

@ -246,6 +246,31 @@ Content-Security-Policy: script-src 'self' https://apis.mydomain.com
``` ```
## Override and Disable `eval`
`eval()` is a core JavaScript method that allows the execution of JavaScript
from a string. Disabling it disables your app's ability to evaluate JavaScript
that is not known in advance.
### Why?
The `eval()` method has precisely one mission: To evaluate a series of
characters as JavaScript and execute it. It is a required method whenever you
need to evaluate code that is known ahead of time. While legitimate use cases
exist, just like any other code generators, `eval()` is difficult to harden.
Generally speaking, it is easier to completely disable `eval()` than to make
it bulletproof. Thus, if you do not need it, it is a good idea to disable it.
### How?
```js
window.eval = global.eval = function() {
throw new Error(`Sorry, this app does not support window.eval().`);
}
```
## Verify WebView Options Before Creation ## Verify WebView Options Before Creation
A WebView created in a renderer process that does not have Node.js integration A WebView created in a renderer process that does not have Node.js integration
enabled will not be able to enable integration itself. However, a WebView will enabled will not be able to enable integration itself. However, a WebView will