docs: remove unsafe eval section of security tutorial (#15675)
* docs: remove unsafe eval section of security tutorial * lintfix
This commit is contained in:
		
					parent
					
						
							
								a54dd1085a
							
						
					
				
			
			
				commit
				
					
						c9d0960f47
					
				
			
		
					 1 changed files with 14 additions and 42 deletions
				
			
		|  | @ -75,14 +75,13 @@ improve the security of your application. | ||||||
| 4. [Use `ses.setPermissionRequestHandler()` in all sessions that load remote content](#4-handle-session-permission-requests-from-remote-content) | 4. [Use `ses.setPermissionRequestHandler()` in all sessions that load remote content](#4-handle-session-permission-requests-from-remote-content) | ||||||
| 5. [Do not disable `webSecurity`](#5-do-not-disable-websecurity) | 5. [Do not disable `webSecurity`](#5-do-not-disable-websecurity) | ||||||
| 6. [Define a `Content-Security-Policy`](#6-define-a-content-security-policy) and use restrictive rules (i.e. `script-src 'self'`) | 6. [Define a `Content-Security-Policy`](#6-define-a-content-security-policy) and use restrictive rules (i.e. `script-src 'self'`) | ||||||
| 7. [Override and disable `eval`](#7-override-and-disable-eval), which allows strings to be executed as code. | 7. [Do not set `allowRunningInsecureContent` to `true`](#7-do-not-set-allowrunninginsecurecontent-to-true) | ||||||
| 8. [Do not set `allowRunningInsecureContent` to `true`](#8-do-not-set-allowrunninginsecurecontent-to-true) | 8. [Do not enable experimental features](#8-do-not-enable-experimental-features) | ||||||
| 9. [Do not enable experimental features](#9-do-not-enable-experimental-features) | 9. [Do not use `enableBlinkFeatures`](#9-do-not-use-enableblinkfeatures) | ||||||
| 10. [Do not use `enableBlinkFeatures`](#10-do-not-use-enableblinkfeatures) | 10. [`<webview>`: Do not use `allowpopups`](#10-do-not-use-allowpopups) | ||||||
| 11. [`<webview>`: Do not use `allowpopups`](#11-do-not-use-allowpopups) | 11. [`<webview>`: Verify options and params](#11-verify-webview-options-before-creation) | ||||||
| 12. [`<webview>`: Verify options and params](#12-verify-webview-options-before-creation) | 12. [Disable or limit navigation](#12-disable-or-limit-navigation) | ||||||
| 13. [Disable or limit navigation](#13-disable-or-limit-navigation) | 13. [Disable or limit creation of new windows](#13-disable-or-limit-creation-of-new-windows) | ||||||
| 14. [Disable or limit creation of new windows](#14-disable-or-limit-creation-of-new-windows) |  | ||||||
| 
 | 
 | ||||||
| ## 1) Only Load Secure Content | ## 1) Only Load Secure Content | ||||||
| 
 | 
 | ||||||
|  | @ -385,34 +384,7 @@ to set a policy on a page directly in the markup using a `<meta>` tag: | ||||||
| #### `webRequest.onHeadersReceived([filter, ]listener)` | #### `webRequest.onHeadersReceived([filter, ]listener)` | ||||||
| 
 | 
 | ||||||
| 
 | 
 | ||||||
| ## 7) Override and Disable `eval` | ## 7) Do Not Set `allowRunningInsecureContent` to `true` | ||||||
| 
 |  | ||||||
| `eval()` is a core JavaScript method that allows the execution of JavaScript |  | ||||||
| from a string. Disabling it disables your app's ability to evaluate JavaScript |  | ||||||
| that is not known in advance. |  | ||||||
| 
 |  | ||||||
| ### Why? |  | ||||||
| 
 |  | ||||||
| The `eval()` method has precisely one mission: To evaluate a series of |  | ||||||
| characters as JavaScript and execute it. It is a required method whenever you |  | ||||||
| need to evaluate code that is not known ahead of time. While legitimate use |  | ||||||
| cases exist, like any other code generators, `eval()` is difficult to harden. |  | ||||||
| 
 |  | ||||||
| Generally speaking, it is easier to completely disable `eval()` than to make |  | ||||||
| it bulletproof. Thus, if you do not need it, it is a good idea to disable it. |  | ||||||
| 
 |  | ||||||
| ### How? |  | ||||||
| 
 |  | ||||||
| ```js |  | ||||||
| // ESLint will warn about any use of eval(), even this one |  | ||||||
| // eslint-disable-next-line |  | ||||||
| window.eval = global.eval = function () { |  | ||||||
|   throw new Error(`Sorry, this app does not support window.eval().`) |  | ||||||
| } |  | ||||||
| ``` |  | ||||||
| 
 |  | ||||||
| 
 |  | ||||||
| ## 8) Do Not Set `allowRunningInsecureContent` to `true` |  | ||||||
| 
 | 
 | ||||||
| _Recommendation is Electron's default_ | _Recommendation is Electron's default_ | ||||||
| 
 | 
 | ||||||
|  | @ -446,7 +418,7 @@ const mainWindow = new BrowserWindow({}) | ||||||
| ``` | ``` | ||||||
| 
 | 
 | ||||||
| 
 | 
 | ||||||
| ## 9) Do Not Enable Experimental Features | ## 8) Do Not Enable Experimental Features | ||||||
| 
 | 
 | ||||||
| _Recommendation is Electron's default_ | _Recommendation is Electron's default_ | ||||||
| 
 | 
 | ||||||
|  | @ -479,7 +451,7 @@ const mainWindow = new BrowserWindow({}) | ||||||
| ``` | ``` | ||||||
| 
 | 
 | ||||||
| 
 | 
 | ||||||
| ## 10) Do Not Use `enableBlinkFeatures` | ## 9) Do Not Use `enableBlinkFeatures` | ||||||
| 
 | 
 | ||||||
| _Recommendation is Electron's default_ | _Recommendation is Electron's default_ | ||||||
| 
 | 
 | ||||||
|  | @ -511,7 +483,7 @@ const mainWindow = new BrowserWindow() | ||||||
| ``` | ``` | ||||||
| 
 | 
 | ||||||
| 
 | 
 | ||||||
| ## 11) Do Not Use `allowpopups` | ## 10) Do Not Use `allowpopups` | ||||||
| 
 | 
 | ||||||
| _Recommendation is Electron's default_ | _Recommendation is Electron's default_ | ||||||
| 
 | 
 | ||||||
|  | @ -539,7 +511,7 @@ you know it needs that feature. | ||||||
| ``` | ``` | ||||||
| 
 | 
 | ||||||
| 
 | 
 | ||||||
| ## 12) Verify WebView Options Before Creation | ## 11) Verify WebView Options Before Creation | ||||||
| 
 | 
 | ||||||
| A WebView created in a renderer process that does not have Node.js integration | A WebView created in a renderer process that does not have Node.js integration | ||||||
| enabled will not be able to enable integration itself. However, a WebView will | enabled will not be able to enable integration itself. However, a WebView will | ||||||
|  | @ -586,7 +558,7 @@ app.on('web-contents-created', (event, contents) => { | ||||||
| Again, this list merely minimizes the risk, it does not remove it. If your goal | Again, this list merely minimizes the risk, it does not remove it. If your goal | ||||||
| is to display a website, a browser will be a more secure option. | is to display a website, a browser will be a more secure option. | ||||||
| 
 | 
 | ||||||
| ## 13) Disable or limit navigation | ## 12) Disable or limit navigation | ||||||
| 
 | 
 | ||||||
| If your app has no need to navigate or only needs to navigate to known pages, | If your app has no need to navigate or only needs to navigate to known pages, | ||||||
| it is a good idea to limit navigation outright to that known scope, disallowing | it is a good idea to limit navigation outright to that known scope, disallowing | ||||||
|  | @ -630,7 +602,7 @@ app.on('web-contents-created', (event, contents) => { | ||||||
| }) | }) | ||||||
| ``` | ``` | ||||||
| 
 | 
 | ||||||
| ## 14) Disable or limit creation of new windows | ## 13) Disable or limit creation of new windows | ||||||
| 
 | 
 | ||||||
| If you have a known set of windows, it's a good idea to limit the creation of | If you have a known set of windows, it's a good idea to limit the creation of | ||||||
| additional windows in your app. | additional windows in your app. | ||||||
|  |  | ||||||
		Loading…
	
	Add table
		Add a link
		
	
		Reference in a new issue
	
	 Shelley Vohr
				Shelley Vohr