diff --git a/docs/tutorial/security.md b/docs/tutorial/security.md index f737e5a0cb49..fea66a1dee14 100644 --- a/docs/tutorial/security.md +++ b/docs/tutorial/security.md @@ -52,7 +52,7 @@ native code on the user's machine. > :warning: Under no circumstances should you load and execute remote code with Node.js integration enabled. Instead, use only local files (packaged together with your application) to execute Node.js code. To display remote content, use -the [`webview`][web-view] tag and make sure to disable the `nodeIntegration`. +the [``][webview-tag] tag and make sure to disable the `nodeIntegration`. ## Electron Security Warnings @@ -79,8 +79,8 @@ improve the security of your application. 8. [Do not set `allowRunningInsecureContent` to `true`](#8-do-not-set-allowrunninginsecurecontent-to-true) 9. [Do not enable experimental features](#9-do-not-enable-experimental-features) 10. [Do not use `enableBlinkFeatures`](#10-do-not-use-enableblinkfeatures) -11. [WebViews: Do not use `allowpopups`](#11-do-not-use-allowpopups) -12. [WebViews: Verify the options and params of all `` tags](#12-verify-webview-options-before-creation) +11. [``: Do not use `allowpopups`](#11-do-not-use-allowpopups) +12. [``: Verify options and params](#12-verify-webview-options-before-creation) ## 1) Only Load Secure Content @@ -127,7 +127,7 @@ browserWindow.loadURL('https://my-website.com') It is paramount that you disable Node.js integration in any renderer ([`BrowserWindow`][browser-window], [`BrowserView`][browser-view], or -[`WebView`][web-view]) that loads remote content. The goal is to limit the +[``][webview-tag]) that loads remote content. The goal is to limit the powers you grant to remote content, thus making it dramatically more difficult for an attacker to harm your users should they gain the ability to execute JavaScript on your website. @@ -292,7 +292,7 @@ _Recommendation is Electron's default_ You may have already guessed that disabling the `webSecurity` property on a renderer process ([`BrowserWindow`][browser-window], -[`BrowserView`][browser-view], or [`WebView`][web-view]) disables crucial +[`BrowserView`][browser-view], or [``][webview-tag]) disables crucial security features. Do not disable `webSecurity` in production applications. @@ -509,10 +509,10 @@ const mainWindow = new BrowserWindow() _Recommendation is Electron's default_ -If you are using [`WebViews`][web-view], you might need the pages and scripts +If you are using [``][webview-tag], you might need the pages and scripts loaded in your `` tag to open new windows. The `allowpopups` attribute enables them to create new [`BrowserWindows`][browser-window] using the -`window.open()` method. `WebViews` are otherwise not allowed to create new +`window.open()` method. `` tags are otherwise not allowed to create new windows. ### Why? @@ -539,25 +539,25 @@ A WebView created in a renderer process that does not have Node.js integration enabled will not be able to enable integration itself. However, a WebView will always create an independent renderer process with its own `webPreferences`. -It is a good idea to control the creation of new [`WebViews`][web-view] from -the main process and to verify that their webPreferences do not disable +It is a good idea to control the creation of new [``][webview-tag] tags +from the main process and to verify that their webPreferences do not disable security features. ### Why? -Since WebViews live in the DOM, they can be created by a script running on your +Since `` live in the DOM, they can be created by a script running on your website even if Node.js integration is otherwise disabled. Electron enables developers to disable various security features that control a renderer process. In most cases, developers do not need to disable any of those features - and you should therefore not allow different configurations -for newly created [``][web-view] tags. +for newly created [``][webview-tag] tags. ### How? -Before a [``][web-view] tag is attached, Electron will fire the +Before a [``][webview-tag] tag is attached, Electron will fire the `will-attach-webview` event on the hosting `webContents`. Use the event to -prevent the creation of WebViews with possibly insecure options. +prevent the creation of webviews with possibly insecure options. ```js app.on('web-contents-created', (event, contents) => { @@ -582,4 +582,4 @@ is to display a website, a browser will be a more secure option. [browser-window]: ../api/browser-window.md [browser-view]: ../api/browser-view.md -[web-view]: ../api/web-view.md +[webview-tag]: ../api/webview-tag.md