feature: Hot security tips (#11810)
* 🔧 Add security issue detection (and logs) * 🔧 Check for it on load * 👷 Add some tests * 👷 Make the linter happy * 🔧 Allow them to be enabled by force * 📝 Make message slightly prettier * 🔧 Fix a typo in the code comment * 🔧 Classic mistake * 🚀 Optimize things a bit more * 👷 Add tests, fix tests * 📝 Document things * 🔧 Make linter happy * 🔧 One more piece of cleanup
This commit is contained in:
Felix Rieseberg
Charles Kerr
parent
62d2a3472f
commit
d586ef2f39
10 changed files with 541 additions and 14 deletions
|
|
@ -28,6 +28,18 @@ v8Util.setHiddenValue(global, 'ipc', new events.EventEmitter())
|
|||
// Use electron module after everything is ready.
|
||||
const electron = require('electron')
|
||||
|
||||
const {
|
||||
warnAboutNodeWithRemoteContent,
|
||||
warnAboutDisabledWebSecurity,
|
||||
warnAboutInsecureContentAllowed,
|
||||
warnAboutExperimentalFeatures,
|
||||
warnAboutBlinkFeatures,
|
||||
warnAboutInsecureResources,
|
||||
warnAboutInsecureCSP,
|
||||
warnAboutAllowedPopups,
|
||||
shouldLogSecurityWarnings
|
||||
} = require('./security-warnings')
|
||||
|
||||
// Call webFrame method.
|
||||
electron.ipcRenderer.on('ELECTRON_INTERNAL_RENDERER_WEB_FRAME_METHOD', (event, method, args) => {
|
||||
electron.webFrame[method](...args)
|
||||
|
|
@ -148,17 +160,6 @@ if (nodeIntegration === 'true') {
|
|||
}
|
||||
}
|
||||
|
||||
if (window.location.protocol === 'https:' ||
|
||||
window.location.protocol === 'http:' ||
|
||||
window.location.protocol === 'ftp:') {
|
||||
let warning = 'This renderer process has Node.js integration enabled '
|
||||
warning += 'and attempted to load remote content. This exposes users of this app to severe '
|
||||
warning += 'security risks.\n'
|
||||
warning += 'For more information and help, consult https://electronjs.org/docs/tutorial/security'
|
||||
|
||||
console.warn('%cElectron Security Warning', 'font-weight: bold;', warning)
|
||||
}
|
||||
|
||||
// Redirect window.onerror to uncaughtException.
|
||||
window.onerror = function (message, filename, lineno, colno, error) {
|
||||
if (global.process.listeners('uncaughtException').length > 0) {
|
||||
|
|
@ -188,3 +189,22 @@ for (const preloadScript of preloadScripts) {
|
|||
console.error(error.stack || error.message)
|
||||
}
|
||||
}
|
||||
|
||||
// Warn about security issues
|
||||
window.addEventListener('load', function loadHandler () {
|
||||
if (shouldLogSecurityWarnings()) {
|
||||
if (nodeIntegration === 'true') {
|
||||
warnAboutNodeWithRemoteContent()
|
||||
}
|
||||
|
||||
warnAboutDisabledWebSecurity()
|
||||
warnAboutInsecureResources()
|
||||
warnAboutInsecureContentAllowed()
|
||||
warnAboutExperimentalFeatures()
|
||||
warnAboutBlinkFeatures()
|
||||
warnAboutInsecureCSP()
|
||||
warnAboutAllowedPopups()
|
||||
}
|
||||
|
||||
window.removeEventListener('load', loadHandler)
|
||||
})
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue