HTTP_RESOURCES_JS_CHECK

Luca Carettoni edited this page Jan 16, 2019 · 3 revisions

HTTP_RESOURCES_JS_CHECK - Do not allow insecure HTTP connections

When using HTTP as the transport, security is provided by Transport Layer Security (TLS). TLS, and its predecessor SSL, are widely used on the Internet to authenticate a service to a client, and then to provide confidentiality to the channel. Transport security is a critical mechanism for every Electron application.

Directly fetching content using plain-text HTTP opens your application to Man-in-the-Middle attacks.


Risk

Man-in-the-Middle attacks. If nodeIntegration is also enabled, an attacker can inject malicious JavaScript and compromise the user’s host.

Auditing

Look for resources loaded using http, for example:

const win = new BrowserWindow({...});
win.loadURL('http://example.com/');

References

You can’t perform that action at this time.
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.
Press h to open a hovercard with more details.