🔧 WebSecurity
This commit is contained in:
parent
7e79ae750f
commit
cdb20d2692
1 changed files with 37 additions and 0 deletions
|
@ -358,6 +358,43 @@ const mainWindow = new BrowserWindow()
|
||||||
```
|
```
|
||||||
|
|
||||||
|
|
||||||
|
## Do Not Disable WebSecurity
|
||||||
|
|
||||||
|
You may have already guessed that disabling the `webSecurity` property on a
|
||||||
|
renderer process (`BrowserView`, `BrowserWindow`, `WebView`) disables crucial
|
||||||
|
security features.
|
||||||
|
|
||||||
|
Legitimate use cases for this property exist in testing cases, but generally
|
||||||
|
speaking, `webSecurity` should never be disabled in any production application.
|
||||||
|
|
||||||
|
### Why?
|
||||||
|
|
||||||
|
Disabling `webSecurity` will disable the same-origin policy as well as
|
||||||
|
implicitly setting the `allowRunningInsecureContent` property to `true`. In
|
||||||
|
other words, it allows the execution of insecure code from different domains.
|
||||||
|
|
||||||
|
### How?
|
||||||
|
```js
|
||||||
|
// Bad
|
||||||
|
const mainWindow = new BrowserWindow({
|
||||||
|
webPreferences: {
|
||||||
|
webSecurity: false
|
||||||
|
}
|
||||||
|
})
|
||||||
|
|
||||||
|
// Good
|
||||||
|
const mainWindow = new BrowserWindow()
|
||||||
|
```
|
||||||
|
|
||||||
|
```html
|
||||||
|
<!-- Bad -->
|
||||||
|
<webview disablewebsecurity src="page.html"></webview>
|
||||||
|
|
||||||
|
<!-- Good -->
|
||||||
|
<webview src="page.html"></webview>
|
||||||
|
```
|
||||||
|
|
||||||
|
|
||||||
## Verify WebView Options Before Creation
|
## Verify WebView Options Before Creation
|
||||||
A WebView created in a renderer process that does not have Node.js integration
|
A WebView created in a renderer process that does not have Node.js integration
|
||||||
enabled will not be able to enable integration itself. However, a WebView will
|
enabled will not be able to enable integration itself. However, a WebView will
|
||||||
|
|
Loading…
Reference in a new issue