Luca Carettoni edited this page Jan 16, 2019 · 1 revision

AUXCLICK_JS_CHECK - Limit navigation flows to untrusted origins

The creation of a new browser window or the navigation to untrusted origins may lead to severe vulnerabilities. Additionally, middle-click causes Electron to open a link within a new window. Under certain circumstances, this can be leveraged to execute arbitrary JavaScript in the context of a new window.


Navigation to untrusted origins can facilitate attacks, thus it is recommend to limit the ability of a BrowserWindow and webview guest page to initiate new navigation flows. Middle-click events can be leverage to subvert the flow of the application.


Creation of a new window or the navigation to a specific origin can be inspected and validated using callbacks for the new-window and willnavigate events. Your application can limit the navigation flows by implementing something like:

win.webContents.on('will-navigate', (event, newURL) => {
    if (win.webContents.getURL() !== '') {

However, libchromiumcontent will trigger middle-click events as auxclick instead of click. Your application has to explicitly disable this insecure behaviour using something like:

mainWindow = new BrowserWindow({
    "webPreferences": {
        "disableBlinkFeatures ": "Auxclick"


You can’t perform that action at this time.
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.
Press h to open a hovercard with more details.