WEB_SECURITY_JS_CHECK

Luca Carettoni edited this page Jan 19, 2019 · 2 revisions

WEB_SECURITY_JS_CHECK - Do not use disablewebsecurity

This flag gives access to the underline disablewebsecurity Chromium option. When this attribute is present, the guest page will have web security disabled. For instance, Same-Origin Policy (SOP) will not be enforced.

Please note that the Same-Origin Policy is not strictly enforced by the current implementation of Electron, due to a design flaw. As a result, this option is practically irrelevant at the moment.


Risk

When enabled, SOP is not enforced and mixed content is allowed (e.g. https page using JavaScript, CSS from http origins).

Auditing

Check the webPreferences object passed to BrowserWindow, and look for webSecurity false:

mainWindow = new BrowserWindow({
    "webPreferences": {
        "webSecurity": false
    }
});

Additionally, search for the runtime flag —disable-web-security in the package.json, and within the application codebase.

References

You can’t perform that action at this time.
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.
Press h to open a hovercard with more details.