mirrors/electron
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages 1 Wiki Activity Actions

docs: remove unsafe eval section of security tutorial (#15675)

Browse source 
* docs: remove unsafe eval section of security tutorial

* lintfix
This commit is contained in:
Shelley Vohr 2018-11-12 11:13:48 -05:00 committed by GitHub
parent a54dd1085a
commit c9d0960f47
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
1 changed files with 14 additions and 42 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

56
docs/tutorial/security.md
View file

@ -75,14 +75,13 @@ improve the security of your application.
4. [Use `ses.setPermissionRequestHandler()` in all sessions that load remote content](#4-handle-session-permission-requests-from-remote-content)
5. [Do not disable `webSecurity`](#5-do-not-disable-websecurity)
6. [Define a `Content-Security-Policy`](#6-define-a-content-security-policy) and use restrictive rules (i.e. `script-src 'self'`)
7. [Override and disable `eval`](#7-override-and-disable-eval), which allows strings to be executed as code.
8. [Do not set `allowRunningInsecureContent` to `true`](#8-do-not-set-allowrunninginsecurecontent-to-true)
9. [Do not enable experimental features](#9-do-not-enable-experimental-features)
10. [Do not use `enableBlinkFeatures`](#10-do-not-use-enableblinkfeatures)
11. [`<webview>`: Do not use `allowpopups`](#11-do-not-use-allowpopups)
12. [`<webview>`: Verify options and params](#12-verify-webview-options-before-creation)
13. [Disable or limit navigation](#13-disable-or-limit-navigation)
14. [Disable or limit creation of new windows](#14-disable-or-limit-creation-of-new-windows)
7. [Do not set `allowRunningInsecureContent` to `true`](#7-do-not-set-allowrunninginsecurecontent-to-true)
8. [Do not enable experimental features](#8-do-not-enable-experimental-features)
9. [Do not use `enableBlinkFeatures`](#9-do-not-use-enableblinkfeatures)
10. [`<webview>`: Do not use `allowpopups`](#10-do-not-use-allowpopups)
11. [`<webview>`: Verify options and params](#11-verify-webview-options-before-creation)
12. [Disable or limit navigation](#12-disable-or-limit-navigation)
13. [Disable or limit creation of new windows](#13-disable-or-limit-creation-of-new-windows)
## 1) Only Load Secure Content
@ -385,34 +384,7 @@ to set a policy on a page directly in the markup using a `<meta>` tag:
#### `webRequest.onHeadersReceived([filter, ]listener)`
## 7) Override and Disable `eval`
`eval()` is a core JavaScript method that allows the execution of JavaScript
from a string. Disabling it disables your app's ability to evaluate JavaScript
that is not known in advance.
### Why?
The `eval()` method has precisely one mission: To evaluate a series of
characters as JavaScript and execute it. It is a required method whenever you
need to evaluate code that is not known ahead of time. While legitimate use
cases exist, like any other code generators, `eval()` is difficult to harden.
Generally speaking, it is easier to completely disable `eval()` than to make
it bulletproof. Thus, if you do not need it, it is a good idea to disable it.
### How?
```js
// ESLint will warn about any use of eval(), even this one
// eslint-disable-next-line
window.eval = global.eval = function () {
throw new Error(`Sorry, this app does not support window.eval().`)
}
```
## 8) Do Not Set `allowRunningInsecureContent` to `true`
## 7) Do Not Set `allowRunningInsecureContent` to `true`
_Recommendation is Electron's default_
@ -446,7 +418,7 @@ const mainWindow = new BrowserWindow({})
```
## 9) Do Not Enable Experimental Features
## 8) Do Not Enable Experimental Features
_Recommendation is Electron's default_
@ -479,7 +451,7 @@ const mainWindow = new BrowserWindow({})
```
## 10) Do Not Use `enableBlinkFeatures`
## 9) Do Not Use `enableBlinkFeatures`
_Recommendation is Electron's default_
@ -511,7 +483,7 @@ const mainWindow = new BrowserWindow()
```
## 11) Do Not Use `allowpopups`
## 10) Do Not Use `allowpopups`
_Recommendation is Electron's default_
@ -539,7 +511,7 @@ you know it needs that feature.
```
## 12) Verify WebView Options Before Creation
## 11) Verify WebView Options Before Creation
A WebView created in a renderer process that does not have Node.js integration
enabled will not be able to enable integration itself. However, a WebView will
@ -586,7 +558,7 @@ app.on('web-contents-created', (event, contents) => {
Again, this list merely minimizes the risk, it does not remove it. If your goal
is to display a website, a browser will be a more secure option.
## 13) Disable or limit navigation
## 12) Disable or limit navigation
If your app has no need to navigate or only needs to navigate to known pages,
it is a good idea to limit navigation outright to that known scope, disallowing
@ -630,7 +602,7 @@ app.on('web-contents-created', (event, contents) => {
})
```
## 14) Disable or limit creation of new windows
## 13) Disable or limit creation of new windows
If you have a known set of windows, it's a good idea to limit the creation of
additional windows in your app.