2024-09-19 16:03:28 +02:00
include::../summary.adoc[]
2024-09-18 13:19:05 +02:00
== Why is this an issue?
2024-09-19 16:03:28 +02:00
include::../rationale.adoc[]
2024-09-18 13:19:05 +02:00
2024-09-19 16:03:28 +02:00
include::../impact.adoc[]
2024-09-18 13:19:05 +02:00
== How to fix it
=== Code examples
To fix the `webSecurity` flag vulnerability in Electron applications, you need to ensure that the `webSecurity` property of `webPreferences` is not false.
This will enforce security restrictions on web content loaded by your application.
If the `webSecurity` flag is not explicitly set in your application, it is enabled by default.
==== Noncompliant code example
[source,javascript,diff-id=1,diff-type=noncompliant]
----
const { BrowserWindow } = require('electron');
let mainWindow = new BrowserWindow({
webPreferences: {
webSecurity: false // Noncompliant
}
});
----
==== Compliant solution
[source,javascript,diff-id=1,diff-type=compliant]
----
const { BrowserWindow } = require('electron');
let mainWindow = new BrowserWindow({
webPreferences: {
webSecurity: true
}
});
----
=== How does this work?
In the compliant example, `webSecurity` is explicitly enabled.
It is also sufficient not to set this property, as it is enabled by default.
//=== Pitfalls
=== Going the extra mile
2024-09-19 16:03:28 +02:00
include::../common/extra-mile/csp.adoc[]
2024-09-18 13:19:05 +02:00
== Resources
2024-09-19 16:03:28 +02:00
include::../common/resources/docs.adoc[]
2024-09-18 13:19:05 +02:00
//=== Articles & blog posts
//=== Conference presentations
//=== Standards
//=== External coding guidelines
//=== Benchmarks
ifdef::env-github,rspecator-view[]
'''
== Implementation Specification
(visible only on this page)
2024-09-19 16:03:28 +02:00
include::../message.adoc[]
2024-09-18 13:19:05 +02:00
2024-09-19 16:03:28 +02:00
include::../highlighting.adoc[]
2024-09-18 13:19:05 +02:00
'''
== Comments And Links
(visible only on this page)
endif::env-github,rspecator-view[]
