Merge pull request #8456 from yuya-oc/docs-security
Add to security checklist about permission requests
This commit is contained in:
commit
edcea3e800
1 changed files with 2 additions and 1 deletions
|
@ -56,8 +56,9 @@ This is not bulletproof, but at the least, you should attempt the following:
|
||||||
* Only display secure (https) content
|
* Only display secure (https) content
|
||||||
* Disable the Node integration in all renderers that display remote content
|
* Disable the Node integration in all renderers that display remote content
|
||||||
(setting `nodeIntegration` to `false` in `webPreferences`)
|
(setting `nodeIntegration` to `false` in `webPreferences`)
|
||||||
* Enable context isolation in all rendererers that display remote content
|
* Enable context isolation in all renderers that display remote content
|
||||||
(setting `contextIsolation` to `true` in `webPreferences`)
|
(setting `contextIsolation` to `true` in `webPreferences`)
|
||||||
|
* Use `ses.setPermissionRequestHandler()` in all sessions that load remote content
|
||||||
* Do not disable `webSecurity`. Disabling it will disable the same-origin policy.
|
* Do not disable `webSecurity`. Disabling it will disable the same-origin policy.
|
||||||
* Define a [`Content-Security-Policy`](http://www.html5rocks.com/en/tutorials/security/content-security-policy/)
|
* Define a [`Content-Security-Policy`](http://www.html5rocks.com/en/tutorials/security/content-security-policy/)
|
||||||
, and use restrictive rules (i.e. `script-src 'self'`)
|
, and use restrictive rules (i.e. `script-src 'self'`)
|
||||||
|
|
Loading…
Reference in a new issue