fix: do not trigger CSP violations when checking eval (#30991)
* fix: do not trigger CSP violations when checking eval * Update shell/renderer/api/electron_api_web_frame.cc Co-authored-by: Cheng Zhao <zcbenz@gmail.com> Co-authored-by: Cheng Zhao <zcbenz@gmail.com>
This commit is contained in:
parent
add94f5fe6
commit
63eed52626
4 changed files with 35 additions and 26 deletions
|
@ -77,15 +77,8 @@ const isLocalhost = function () {
|
|||
*
|
||||
* @returns {boolean} Is a CSP with `unsafe-eval` set?
|
||||
*/
|
||||
const isUnsafeEvalEnabled: () => Promise<boolean> = function () {
|
||||
return webFrame.executeJavaScript(`(${(() => {
|
||||
try {
|
||||
eval(window.trustedTypes.emptyScript); // eslint-disable-line no-eval
|
||||
} catch {
|
||||
return false;
|
||||
}
|
||||
return true;
|
||||
}).toString()})()`, false);
|
||||
const isUnsafeEvalEnabled = () => {
|
||||
return webFrame._isEvalAllowed();
|
||||
};
|
||||
|
||||
const moreInformation = `\nFor more information and help, consult
|
||||
|
@ -174,16 +167,14 @@ const warnAboutDisabledWebSecurity = function (webPreferences?: Electron.WebPref
|
|||
* Logs a warning message about unset or insecure CSP
|
||||
*/
|
||||
const warnAboutInsecureCSP = function () {
|
||||
isUnsafeEvalEnabled().then((enabled) => {
|
||||
if (!enabled) return;
|
||||
if (!isUnsafeEvalEnabled()) return;
|
||||
|
||||
const warning = `This renderer process has either no Content Security
|
||||
Policy set or a policy with "unsafe-eval" enabled. This exposes users of
|
||||
this app to unnecessary security risks.\n${moreInformation}`;
|
||||
const warning = `This renderer process has either no Content Security
|
||||
Policy set or a policy with "unsafe-eval" enabled. This exposes users of
|
||||
this app to unnecessary security risks.\n${moreInformation}`;
|
||||
|
||||
console.warn('%cElectron Security Warning (Insecure Content-Security-Policy)',
|
||||
'font-weight: bold;', warning);
|
||||
}).catch(() => {});
|
||||
console.warn('%cElectron Security Warning (Insecure Content-Security-Policy)',
|
||||
'font-weight: bold;', warning);
|
||||
};
|
||||
|
||||
/**
|
||||
|
|
Loading…
Add table
Add a link
Reference in a new issue