CSP_GLOBAL_CHECK - CSP presence check and review
Electron apps when possible should implement a Content Security Policy (CSP) as an additional layer of protection against cross-site-scripting attacks and data injection attacks.
There are two ways to set a CSP in Electron: via the
webRequest.onHeadersReceived handler or directly in the markup using a
This check determines whether a CSP policy is set or or is missing, both via JS or HTML:
- If a CSP is detected, Electronegativity looks for weak directives using a library based on the csp-evaluator.withgoogle.com online tool.
- If no CSP is found, Electronegativity issues a warning.
CSP allows the server serving content to restrict and control the resources Electron can load for that given web page.
https://example.com should be allowed to load scripts from the origins you defined while scripts from
https://evil.attacker.com should not be allowed to run.
Check whether a CSP is defined and use the csp-evaluator.withgoogle.com tool to review its directives.