PERMISSION_REQUEST_HANDLER_JS_CHECK

Luca Carettoni edited this page Jan 19, 2019 · 3 revisions

PERMISSION_REQUEST_HANDLER_JS_CHECK - Use setPermissionRequestHandler for untrusted origins

When loading remote untrusted content, it is recommended to enable Session’s permissions handler, which can be used to respond to permission requests. It is possible to access the session of existing pages by using the session property of WebContents, or from the session module.

win = new BrowserWindow()
win.loadURL('https://doyensec.com')
ses = win.webContents.session
console.log(ses.getUserAgent())

Using setPermissionRequestHandler, it is possible to write custom code to limit specific permissions (e.g. openExternal) in response to events from particular origins.

ses.setPermissionRequestHandler((webContents, permission, callback) => {
    if (webContents.getURL() !== 'https: //doyensec.com' && permission === 'openExternal') {
        return callback(false)
    } else {
        return callback(true)
    }
})

The current version of Electron allows control of the following permissions:

  • media
  • geolocation
  • notifications
  • midiSysex
  • pointerLock
  • fullscreen
  • openExternal

Please note that Electron’s Session object is a powerful mechanism with access to many properties of the browser sessions, cookies, cache, proxy settings, etc. Use with caution!


Risk

This setting can be used to limit the exploitability of certain issues. Not enforcing custom checks for permission requests (e.g. media) leaves the Electron application under full control of the remote origin. For instance, a Cross-Site Scripting vulnerability can be used to access the browser media system and silently record audio/video. While browsers have implemented notification to inform the user that a remote site is capturing the webcam stream, Electron does not display any notification.

Auditing

Review all occurrences of setPermissionRequestHandler. If used, manually evaluate the implementation and security of the custom callbacks. If not used, the application does not limit session permissions at all thus the configuration is open to abuses.

References

You can’t perform that action at this time.
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.
Press h to open a hovercard with more details.