-
Notifications
You must be signed in to change notification settings - Fork 15.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CSP doesn't work for scripts inside inline <webview>
tags?
#3921
Comments
The |
@zcbenz Is it OK to allow this sort of code injection? |
If users can inject a webview tag then it won't be safe anyway, they would be able to load arbitrary content and run arbitrary code. There is a similar discussion: #1753. |
@zcbenz WebView tag should probably just be flat-out disabled if node integration is disabled |
I think |
Disabling webview when node integration is off could have compatibility issues with existing apps, I think we can provide an option to disable webview. I have create #3943 for this. |
You're not wrong, but those apps are also disabling node integration for security reasons, and this bug means that all remote content hosted in these windows effectively has full access to the machine, this is a security issue serious enough imho to warrant a breaking change As an equally-secure yet perhaps not as breaking of a change, we could ignore |
Sounds quite reasonable to me 👍. |
@zcbenz, this doesn't seem to be true in Electron 8? Is there any way to use the |
Reference: Electronでアプリを書く場合は、気合いと根性でXSSを発生させないようにしなければならない。 - 葉っぱ日記 (Japanese)
Content Security Policy doesn't work for scripts inside
<webview>
tags?I think it's dangerous because CSP cannot prevent XSS attacks using
<webview>
tags and allows access to any Node APIs.Example
<script>
doesn't run<webview>
'ssrc
attribute runs (and any Node APIs can be used in it even if outer BrowserWindows is nodeIntegration disabled)Environment: Electron 0.36.1 and OS X 10.11.2
The text was updated successfully, but these errors were encountered: