📝 allowRunningInsecureContent

This commit is contained in:
Felix Rieseberg 2018-01-29 11:03:06 -08:00
parent 5418866e87
commit e73f142adc

View file

@ -271,6 +271,36 @@ window.eval = global.eval = function() {
``` ```
## Do Not Set `allowRunningInsecureContent` to `true`
By default, Electron will now allow websites loaded over `HTTPS` to load and
execute scripts, CSS, or plugins from insecure sources (`HTTP`). Setting the
property `allowRunningInsecureContent` to `true` disables that protection.
Loading the initial HTML of a website over `HTTPS` and attempting to load
subsequent resources via `HTTP` is also known as "mixed content".
### Why?
See the section on [only displaying secure content](#only-display-secure-content)
for more details, but simply put, loading content over `HTTPS` assures the
authenticity and integrity of the loaded resources while encrypting the traffic
itself.
### How?
```js
// Bad
const mainWindow = new BrowserWindow({
webPreferences: {
allowRunningInsecureContent: true
}
})
// Good
const mainWindow = new BrowserWindow({})
```
## Verify WebView Options Before Creation ## Verify WebView Options Before Creation
A WebView created in a renderer process that does not have Node.js integration A WebView created in a renderer process that does not have Node.js integration
enabled will not be able to enable integration itself. However, a WebView will enabled will not be able to enable integration itself. However, a WebView will