📝 allowRunningInsecureContent

2018-01-29 11:03:06 -08:00 · 2018-01-29 11:03:06 -08:00 · e73f142adc
commit e73f142adc
parent 5418866e87
1 changed files with 30 additions and 0 deletions
--- a/docs/tutorial/security.md
+++ b/docs/tutorial/security.md
@ -271,6 +271,36 @@ window.eval = global.eval = function() {
 ```


+## Do Not Set `allowRunningInsecureContent` to `true`
+
+By default, Electron will now allow websites loaded over `HTTPS` to load and
+execute scripts, CSS, or plugins from insecure sources (`HTTP`). Setting the
+property `allowRunningInsecureContent` to `true` disables that protection.
+
+Loading the initial HTML of a website over `HTTPS` and attempting to load
+subsequent resources via `HTTP` is also known as "mixed content".
+
+### Why?
+
+See the section on [only displaying secure content](#only-display-secure-content)
+for more details, but simply put, loading content over `HTTPS` assures the
+authenticity and integrity of the loaded resources while encrypting the traffic
+itself.
+
+### How?
+
+```js
+// Bad
+const mainWindow = new BrowserWindow({
+  webPreferences: {
+    allowRunningInsecureContent: true
+  }
+})
+
+// Good
+const mainWindow = new BrowserWindow({})
+```
+
 ## Verify WebView Options Before Creation
 A WebView created in a renderer process that does not have Node.js integration
 enabled will not be able to enable integration itself. However, a WebView will