Skip to content

CSP_GLOBAL_CHECK

Lorenzo Stella edited this page Mar 1, 2019 · 1 revision

CSP_GLOBAL_CHECK - CSP presence check and review

Electron apps when possible should implement a Content Security Policy (CSP) as an additional layer of protection against cross-site-scripting attacks and data injection attacks. There are two ways to set a CSP in Electron: via the webRequest.onHeadersReceived handler or directly in the markup using a <meta> tag.

This check determines whether a CSP policy is set or or is missing, both via JS or HTML:

  • If a CSP is detected, Electronegativity looks for weak directives using a library based on the csp-evaluator.withgoogle.com online tool.
  • If no CSP is found, Electronegativity issues a warning.

Risk

CSP allows the server serving content to restrict and control the resources Electron can load for that given web page. https://example.com should be allowed to load scripts from the origins you defined while scripts from https://evil.attacker.com should not be allowed to run.

Auditing

Check whether a CSP is defined and use the csp-evaluator.withgoogle.com tool to review its directives.

References

You can’t perform that action at this time.