Luca Carettoni edited this page Jan 19, 2019 · 2 revisions

WEB_SECURITY_JS_CHECK - Do not use disablewebsecurity

This flag gives access to the underline disablewebsecurity Chromium option. When this attribute is present, the guest page will have web security disabled. For instance, Same-Origin Policy (SOP) will not be enforced.

Please note that the Same-Origin Policy is not strictly enforced by the current implementation of Electron, due to a design flaw. As a result, this option is practically irrelevant at the moment.


When enabled, SOP is not enforced and mixed content is allowed (e.g. https page using JavaScript, CSS from http origins).


Check the webPreferences object passed to BrowserWindow, and look for webSecurity false:

mainWindow = new BrowserWindow({
    "webPreferences": {
        "webSecurity": false

Additionally, search for the runtime flag —disable-web-security in the package.json, and within the application codebase.


You can’t perform that action at this time.
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.
Press h to open a hovercard with more details.