AUXCLICK_HTML_CHECK

Luca Carettoni edited this page Jan 15, 2019 · 2 revisions

AUXCLICK_HTML_CHECK - Limit navigation flows to untrusted origins

The creation of a new browser window or the navigation to untrusted origins may lead to severe vulnerabilities. Additionally, middle-click causes Electron to open a link within a new window. Under certain circumstances, this can be leveraged to execute arbitrary JavaScript in the context of a new window.


Risk

Navigation to untrusted origins can facilitate attacks, thus it is recommend to limit the ability of a BrowserWindow and webview guest page to initiate new navigation flows. Middle-click events can be leverage to subvert the flow of the application.

Auditing

Creation of a new window or the navigation to a specific origin can be inspected and validated using callbacks for the new-window and willnavigate events. Your application can limit the navigation flows by implementing something like:

win.webContents.on('will-navigate', (event, newURL) => {
    if (win.webContents.getURL() !== 'https://doyensec.com') {
        event.preventDefault();
    }
})

However, libchromiumcontent will trigger middle-click events as auxclick instead of click.

If you use webview, your application has to explicitly disable this insecure behaviour using something like:

<webview src="https://www.github.com/" disableblinkfeatures="Auxclick"></webview>

References

You can’t perform that action at this time.
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.
Press h to open a hovercard with more details.