From c793ee3aebf840b99af5d7578421a1b1f8a8158c Mon Sep 17 00:00:00 2001 From: Felix Rieseberg Date: Mon, 29 Jan 2018 11:02:30 -0800 Subject: [PATCH] :memo: Content Security Policy --- docs/tutorial/security.md | 32 ++++++++++++++++++++++++++++++++ 1 file changed, 32 insertions(+) diff --git a/docs/tutorial/security.md b/docs/tutorial/security.md index 336192489ac9..9bd715f284e4 100644 --- a/docs/tutorial/security.md +++ b/docs/tutorial/security.md @@ -214,6 +214,38 @@ session ``` +## Define a Content Security Policy + +A Content Security Policy (CSP) is an additional layer of protection against +cross-site-scripting attacks (XSS) and data injection attacks. They can be +enabled by websites and we recommend that any website you load inside Electron +does so. + +### Why? + +CSP allows the server serving content to restrict and control the resources +Electron will load for that given web page. `https://your-page.com` should have +be allowed to scripts from the origins you defined, while scripts from +`https://evil.attacker.com` should not be allowed to run. Defining a CSP is an +easy way to improve your applications security. + +### How? + +Electron respects [the `Content-Security-Policy` HTTP header](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy) +as well as the respective `` tag. + +The following CSP will allow Electron to execute scripts from the current +website as well as from `apis.mydomain.com`. + +``` +// Bad +Content-Security-Policy: '*' + +// Good +Content-Security-Policy: script-src 'self' https://apis.mydomain.com +``` + + ## Verify WebView Options Before Creation A WebView created in a renderer process that does not have Node.js integration enabled will not be able to enable integration itself. However, a WebView will