PERMISSION_REQUEST_HANDLER_GLOBAL_CHECK - Detect missing
setPermissionRequestHandler for untrusted origins
This GlobalCheck detects if the atomic PERMISSION_REQUEST_HANDLER_JS_CHECK is missing, meaning that the
setPermissionRequestHandler is not set in the target application.
This setting can be used to limit the exploitability of certain issues. Not enforcing custom checks for permission requests (e.g. media) leaves the Electron application under full control of the remote origin. For instance, a Cross-Site Scripting vulnerability can be used to access the browser media system and silently record audio/video. While browsers have implemented notification to inform the user that a remote site is capturing the webcam stream, Electron does not display any notification.
Review all occurrences of
setPermissionRequestHandler. If used, manually evaluate the implementation and security of the custom callbacks. If not used, the application does not limit session permissions at all thus the configuration is open to abuses.