Fix links to webview.md
This commit is contained in:
parent
8ccb5cc6eb
commit
cdd2bab7d5
1 changed files with 14 additions and 14 deletions
|
@ -52,7 +52,7 @@ native code on the user's machine.
|
||||||
> :warning: Under no circumstances should you load and execute remote code with
|
> :warning: Under no circumstances should you load and execute remote code with
|
||||||
Node.js integration enabled. Instead, use only local files (packaged together
|
Node.js integration enabled. Instead, use only local files (packaged together
|
||||||
with your application) to execute Node.js code. To display remote content, use
|
with your application) to execute Node.js code. To display remote content, use
|
||||||
the [`webview`][web-view] tag and make sure to disable the `nodeIntegration`.
|
the [`<webview>`][webview-tag] tag and make sure to disable the `nodeIntegration`.
|
||||||
|
|
||||||
## Electron Security Warnings
|
## Electron Security Warnings
|
||||||
|
|
||||||
|
@ -79,8 +79,8 @@ improve the security of your application.
|
||||||
8. [Do not set `allowRunningInsecureContent` to `true`](#8-do-not-set-allowrunninginsecurecontent-to-true)
|
8. [Do not set `allowRunningInsecureContent` to `true`](#8-do-not-set-allowrunninginsecurecontent-to-true)
|
||||||
9. [Do not enable experimental features](#9-do-not-enable-experimental-features)
|
9. [Do not enable experimental features](#9-do-not-enable-experimental-features)
|
||||||
10. [Do not use `enableBlinkFeatures`](#10-do-not-use-enableblinkfeatures)
|
10. [Do not use `enableBlinkFeatures`](#10-do-not-use-enableblinkfeatures)
|
||||||
11. [WebViews: Do not use `allowpopups`](#11-do-not-use-allowpopups)
|
11. [`<webview>`: Do not use `allowpopups`](#11-do-not-use-allowpopups)
|
||||||
12. [WebViews: Verify the options and params of all `<webview>` tags](#12-verify-webview-options-before-creation)
|
12. [`<webview>`: Verify options and params](#12-verify-webview-options-before-creation)
|
||||||
|
|
||||||
|
|
||||||
## 1) Only Load Secure Content
|
## 1) Only Load Secure Content
|
||||||
|
@ -127,7 +127,7 @@ browserWindow.loadURL('https://my-website.com')
|
||||||
|
|
||||||
It is paramount that you disable Node.js integration in any renderer
|
It is paramount that you disable Node.js integration in any renderer
|
||||||
([`BrowserWindow`][browser-window], [`BrowserView`][browser-view], or
|
([`BrowserWindow`][browser-window], [`BrowserView`][browser-view], or
|
||||||
[`WebView`][web-view]) that loads remote content. The goal is to limit the
|
[`<webview>`][webview-tag]) that loads remote content. The goal is to limit the
|
||||||
powers you grant to remote content, thus making it dramatically more difficult
|
powers you grant to remote content, thus making it dramatically more difficult
|
||||||
for an attacker to harm your users should they gain the ability to execute
|
for an attacker to harm your users should they gain the ability to execute
|
||||||
JavaScript on your website.
|
JavaScript on your website.
|
||||||
|
@ -292,7 +292,7 @@ _Recommendation is Electron's default_
|
||||||
|
|
||||||
You may have already guessed that disabling the `webSecurity` property on a
|
You may have already guessed that disabling the `webSecurity` property on a
|
||||||
renderer process ([`BrowserWindow`][browser-window],
|
renderer process ([`BrowserWindow`][browser-window],
|
||||||
[`BrowserView`][browser-view], or [`WebView`][web-view]) disables crucial
|
[`BrowserView`][browser-view], or [`<webview>`][webview-tag]) disables crucial
|
||||||
security features.
|
security features.
|
||||||
|
|
||||||
Do not disable `webSecurity` in production applications.
|
Do not disable `webSecurity` in production applications.
|
||||||
|
@ -509,10 +509,10 @@ const mainWindow = new BrowserWindow()
|
||||||
|
|
||||||
_Recommendation is Electron's default_
|
_Recommendation is Electron's default_
|
||||||
|
|
||||||
If you are using [`WebViews`][web-view], you might need the pages and scripts
|
If you are using [`<webview>`][webview-tag], you might need the pages and scripts
|
||||||
loaded in your `<webview>` tag to open new windows. The `allowpopups` attribute
|
loaded in your `<webview>` tag to open new windows. The `allowpopups` attribute
|
||||||
enables them to create new [`BrowserWindows`][browser-window] using the
|
enables them to create new [`BrowserWindows`][browser-window] using the
|
||||||
`window.open()` method. `WebViews` are otherwise not allowed to create new
|
`window.open()` method. `<webview>` tags are otherwise not allowed to create new
|
||||||
windows.
|
windows.
|
||||||
|
|
||||||
### Why?
|
### Why?
|
||||||
|
@ -539,25 +539,25 @@ A WebView created in a renderer process that does not have Node.js integration
|
||||||
enabled will not be able to enable integration itself. However, a WebView will
|
enabled will not be able to enable integration itself. However, a WebView will
|
||||||
always create an independent renderer process with its own `webPreferences`.
|
always create an independent renderer process with its own `webPreferences`.
|
||||||
|
|
||||||
It is a good idea to control the creation of new [`WebViews`][web-view] from
|
It is a good idea to control the creation of new [`<webview>`][webview-tag] tags
|
||||||
the main process and to verify that their webPreferences do not disable
|
from the main process and to verify that their webPreferences do not disable
|
||||||
security features.
|
security features.
|
||||||
|
|
||||||
### Why?
|
### Why?
|
||||||
|
|
||||||
Since WebViews live in the DOM, they can be created by a script running on your
|
Since `<webview>` live in the DOM, they can be created by a script running on your
|
||||||
website even if Node.js integration is otherwise disabled.
|
website even if Node.js integration is otherwise disabled.
|
||||||
|
|
||||||
Electron enables developers to disable various security features that control
|
Electron enables developers to disable various security features that control
|
||||||
a renderer process. In most cases, developers do not need to disable any of
|
a renderer process. In most cases, developers do not need to disable any of
|
||||||
those features - and you should therefore not allow different configurations
|
those features - and you should therefore not allow different configurations
|
||||||
for newly created [`<WebView>`][web-view] tags.
|
for newly created [`<webview>`][webview-tag] tags.
|
||||||
|
|
||||||
### How?
|
### How?
|
||||||
|
|
||||||
Before a [`<WebView>`][web-view] tag is attached, Electron will fire the
|
Before a [`<webview>`][webview-tag] tag is attached, Electron will fire the
|
||||||
`will-attach-webview` event on the hosting `webContents`. Use the event to
|
`will-attach-webview` event on the hosting `webContents`. Use the event to
|
||||||
prevent the creation of WebViews with possibly insecure options.
|
prevent the creation of webviews with possibly insecure options.
|
||||||
|
|
||||||
```js
|
```js
|
||||||
app.on('web-contents-created', (event, contents) => {
|
app.on('web-contents-created', (event, contents) => {
|
||||||
|
@ -582,4 +582,4 @@ is to display a website, a browser will be a more secure option.
|
||||||
|
|
||||||
[browser-window]: ../api/browser-window.md
|
[browser-window]: ../api/browser-window.md
|
||||||
[browser-view]: ../api/browser-view.md
|
[browser-view]: ../api/browser-view.md
|
||||||
[web-view]: ../api/web-view.md
|
[webview-tag]: ../api/webview-tag.md
|
||||||
|
|
Loading…
Reference in a new issue