/electronegativity

INSECURE_CONTENT_JS_CHECK

Jump to bottom
Luca Carettoni edited this page Jan 16, 2019 · 2 revisions

INSECURE_CONTENT_JS_CHECK - Do not allow insecure HTTP connections

When using HTTP as the transport, security is provided by Transport Layer Security (TLS). TLS, and its predecessor SSL, are widely used on the Internet to authenticate a service to a client, and then to provide confidentiality to the channel.

Mixed content occurs when the initial HTML page is loaded over a secure HTTPS connection, but other resources (such as images, videos, stylesheets, scripts) are loaded over an insecure HTTP connection.

Risk

HTTP, Mixed Content and TLS validation opt-out should not be used, as it makes possible to sniff and tamper the user’s traffic. If nodeIntegration is also enabled, an attacker can inject malicious JavaScript and compromise the user’s host.

Auditing

Search for allowRunningInsecureContent set to true/1 within the webPreferences of BrowserWindow:

mainWindow = new BrowserWindow({
    "webPreferences": {
        "allowRunningInsecureContent": true
    }
});

References

You can’t perform that action at this time.
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.
Press h to open a hovercard with more details.