mirrors/electron
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages 1 Wiki Activity Actions

security.md: Update security recommendation checklist

Browse source
This commit is contained in:
Per Lundberg 2018-02-19 23:07:03 +02:00 committed by GitHub
parent 56859531cd
commit 8375d21cae
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
1 changed files with 12 additions and 14 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

26
docs/tutorial/security.md
View file

@ -69,20 +69,18 @@ either `process.env` or the `window` object.
This is not bulletproof, but at the least, you should follow these steps to This is not bulletproof, but at the least, you should follow these steps to
improve the security of your application. improve the security of your application.
1) [Only load secure content](#only-load-secure-content) 1. [Only load secure content](#only-load-secure-content)
2) [Disable the Node.js integration in all renderers that display remote content](#disable-node.js-integration-for-remote-content) 2. [Disable the Node.js integration in all renderers that display remote content](#disable-node.js-integration-for-remote-content)
3) [Enable context isolation in all renderers that display remote content](#enable-context-isolation-for-remote-content) 3. [Enable context isolation in all renderers that display remote content](#enable-context-isolation-for-remote-content)
4) [Use `ses.setPermissionRequestHandler()` in all sessions that load remote content](#handle-session-permission-requests-from-remote-content) 4. [Use `ses.setPermissionRequestHandler()` in all sessions that load remote content](#handle-session-permission-requests-from-remote-content)
5) [Do not disable `webSecurity`](#do-not-disable-websecurity) 5. [Do not disable `webSecurity`](#do-not-disable-websecurity)
6) [Define a `Content-Security-Policy`](#define-a-content-security-policy) 6. [Define a `Content-Security-Policy`](#define-a-content-security-policy) and use restrictive rules (i.e. `script-src 'self'`)
and use restrictive rules (i.e. `script-src 'self'`) 7. [Override and disable `eval`](#override-and-disable-eval), which allows strings to be executed as code.
7) [Override and disable `eval`](#override-and-disable-eval) 8. [Do not set `allowRunningInsecureContent` to `true`](#do-not-set-allowRunningInsecureContent-to-true)
, which allows strings to be executed as code. 9. [Do not enable experimental features](#do-not-enable-experimental-features)
8) [Do not set `allowRunningInsecureContent` to `true`](#do-not-set-allowRunningInsecureContent-to-true) 10. [Do not use `blinkFeatures`](#do-not-use-blinkfeatures)
9) [Do not enable experimental features](#do-not-enable-experimental-features) 11. [WebViews: Do not use `allowpopups`](#do-not-use-allowpopups)
10) [Do not use `blinkFeatures`](#do-not-use-blinkfeatures) 12. [WebViews: Verify the options and params of all `<webview>` tags](#verify-webview-options-before-creation)
11) [WebViews: Do not use `allowpopups`](#do-not-use-allowpopups)
12) [WebViews: Verify the options and params of all `<webview>` tags](#verify-webview-options-before-creation)
## 1) Only Load Secure Content ## 1) Only Load Secure Content