Electron Security All In One
Electron Security All In One
https://www.electronjs.org/docs/tutorial/security
CSP
Content-Security-Policy
Electron Security Warning (Insecure Content-Security-Policy) This renderer process has either no Content Security Policy set or a policy with "unsafe-eval" enabled.
This exposes users of this app to unnecessary security risks.
For more information and help, consult
https://electronjs.org/docs/tutorial/security.
This warning will not show up
once the app is packaged.
(anonymous) @ electron/js2c/renderer_init.js:111
"./lib/renderer/security-warnings.ts": /*!*******************************************!*\
!*** ./lib/renderer/security-warnings.ts ***!
\*******************************************/
/*! no static exports found */
function(e, t, r) {
"use strict";
(function(e) {
Object.defineProperty(t, "__esModule", {
value: !0
});
const n = r(/*! electron */
"./lib/renderer/api/exports/electron.ts")
, i = r(/*! @electron/internal/renderer/ipc-renderer-internal */
"./lib/renderer/ipc-renderer-internal.ts");
let o = null;
const {platform: s, execPath: a, env: c} = e
, getIsRemoteProtocol = function() {
if (window && window.location && window.location.protocol)
return /^(http|ftp)s?/gi.test(window.location.protocol)
}
, isLocalhost = function() {
return !(!window || !window.location) && "localhost" === window.location.hostname
}
, l = "\nFor more information and help, consult\nhttps://electronjs.org/docs/tutorial/security.\nThis warning will not show up\nonce the app is packaged."
, warnAboutInsecureCSP = function() {
n.webFrame._executeJavaScript(`(${(()=>{
try {
new Function("")
} catch {
return !1
}
return !0
}
).toString()})()`, !1).then(e=>{
if (!e)
return;
const t = `This renderer process has either no Content Security\n Policy set or a policy with "unsafe-eval" enabled. This exposes users of\n this app to unnecessary security risks.\n${l}`;
console.warn("%cElectron Security Warning (Insecure Content-Security-Policy)", "font-weight: bold;", t)
}
)
}
, logSecurityWarnings = function(e, t) {
!function(e) {
if (e && !isLocalhost() && getIsRemoteProtocol()) {
const e = `This renderer process has Node.js integration enabled\n and attempted to load remote content from '${window.location}'. This\n exposes users of this app to severe security risks.\n${l}`;
console.warn("%cElectron Security Warning (Node.js Integration with Remote Content)", "font-weight: bold;", e)
}
}(t),
function(e) {
if (!e || !1 !== e.webSecurity)
return;
const t = `This renderer process has "webSecurity" disabled. This\n exposes users of this app to severe security risks.\n${l}`;
console.warn("%cElectron Security Warning (Disabled webSecurity)", "font-weight: bold;", t)
}(e),
function() {
if (!window || !window.performance || !window.performance.getEntriesByType)
return;
const e = window.performance.getEntriesByType("resource").filter(({name: e})=>/^(http|ftp):/gi.test(e || "")).filter(({name: e})=>"localhost" !== new URL(e).hostname).map(({name: e})=>`- ${e}`).join("\n");
if (!e || 0 === e.length)
return;
const t = `This renderer process loads resources using insecure\n protocols. This exposes users of this app to unnecessary security risks.\n Consider loading the following resources over HTTPS or FTPS. \n${e}\n \n${l}`;
console.warn("%cElectron Security Warning (Insecure Resources)", "font-weight: bold;", t)
}(),
function(e) {
if (!e || !e.allowRunningInsecureContent)
return;
const t = `This renderer process has "allowRunningInsecureContent"\n enabled. This exposes users of this app to severe security risks.\n\n ${l}`;
console.warn("%cElectron Security Warning (allowRunningInsecureContent)", "font-weight: bold;", t)
}(e),
function(e) {
if (!e || !e.experimentalFeatures)
return;
const t = `This renderer process has "experimentalFeatures" enabled.\n This exposes users of this app to some security risk. If you do not need\n this feature, you should disable it.\n${l}`;
console.warn("%cElectron Security Warning (experimentalFeatures)", "font-weight: bold;", t)
}(e),
function(e) {
if (!e || !Object.prototype.hasOwnProperty.call(e, "enableBlinkFeatures") || e.enableBlinkFeatures && 0 === e.enableBlinkFeatures.length)
return;
const t = `This renderer process has additional "enableBlinkFeatures"\n enabled. This exposes users of this app to some security risk. If you do not\n need this feature, you should disable it.\n${l}`;
console.warn("%cElectron Security Warning (enableBlinkFeatures)", "font-weight: bold;", t)
}(e),
warnAboutInsecureCSP(),
function() {
if (document && document.querySelectorAll) {
const e = document.querySelectorAll("[allowpopups]");
if (!e || 0 === e.length)
return;
const t = `A <webview> has "allowpopups" set to true. This exposes\n users of this app to some security risk, since popups are just\n BrowserWindows. If you do not need this feature, you should disable it.\n\n ${l}`;
console.warn("%cElectron Security Warning (allowpopups)", "font-weight: bold;", t)
}
}(),
function(e) {
if (!e || isLocalhost())
return;
if ((null == e.enableRemoteModule || !!e.enableRemoteModule) && getIsRemoteProtocol()) {
const e = `This renderer process has "enableRemoteModule" enabled\n and attempted to load remote content from '${window.location}'. This\n exposes users of this app to unnecessary security risks.\n${l}`;
console.warn("%cElectron Security Warning (enableRemoteModule)", "font-weight: bold;", e)
}
}(e)
};
t.securityWarnings = function securityWarnings(e) {
window.addEventListener("load", (async function() {
if (function() {
if (null !== o)
return o;
switch (s) {
case "darwin":
o = a.endsWith("MacOS/Electron") || a.includes("Electron.app/Contents/Frameworks/");
break;
case "freebsd":
case "linux":
o = a.endsWith("/electron");
break;
case "win32":
o = a.endsWith("\\electron.exe");
break;
default:
o = !1
}
return (c && c.ELECTRON_DISABLE_SECURITY_WARNINGS || window && window.ELECTRON_DISABLE_SECURITY_WARNINGS) && (o = !1),
(c && c.ELECTRON_ENABLE_SECURITY_WARNINGS || window && window.ELECTRON_ENABLE_SECURITY_WARNINGS) && (o = !0),
o
}()) {
const t = await async function() {
try {
return i.ipcRendererInternal.invoke("ELECTRON_BROWSER_GET_LAST_WEB_PREFERENCES")
} catch (e) {
console.warn(`getLastWebPreferences() failed: ${e}`)
}
}();
logSecurityWarnings(t, e)
}
}
), {
once: !0
})
}
}
).call(this, r(/*! @electron/internal/renderer/webpack-provider */
"./lib/renderer/webpack-provider.ts").process)
},
refs
xgqfrms 2012-2020
www.cnblogs.com 发布文章使用:只允许注册用户才可以访问!
Electron Security All In One的更多相关文章
- electron-vue 运行项目时会报Electron Security Warning (Node.js Integration with Remote Content)警告
使用electron-vue时,运行项目总会出现如下警告: 解决方法:在src/renderer/main.js中加入: process.env['ELECTRON_DISABLE_SECURITY_ ...
- electron 基础
electron 基础 前文我们快速的用了一下 electron.本篇将进一步介绍其基础知识点,例如:生命周期.主进程和渲染进程通信.contextBridge.预加载(禁用node集成).优雅的显示 ...
- Bug Bounty Reference
https://github.com/ngalongc/bug-bounty-reference/blob/master/README.md#remote-code-execution Bug Bou ...
- npm 打包 electron app 报错问题
在进行desktop打包过程中,遇到如下报错: 0 info it worked if it ends with ok 1 verbose cli [ 'C:\\Program Files\\node ...
- (译)通过 HTML、JS 和 Electron 创建你的第一个桌面应用
原文:Creating Your First Desktop App With HTML, JS and Electron 作者:Danny Markov 近年来 web 应用变得越来越强大,但是桌面 ...
- electron应用以管理员权限启动
最近在用electron开发PC桌面应用,其中有个需求就是整个应用以管理员权限启动.很头痛,各种google,baidu. 最后终于解决了,可以分为三个步骤,做个总结分享. 一.如果没有manifes ...
- ref:web security最新学习资料收集
ref:https://chybeta.github.io/2017/08/19/Web-Security-Learning/ ref:https://github.com/CHYbeta/Web-S ...
- electron 集成 SQLCipher
mac 安装 brew /usr/bin/ruby -e "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/m ...
- 第二章 你第首个Electron应用 | Electron in Action(中译)
本章主要内容 构建并启动Electron应用 生成package.json,配置成Electron应用 在你的项目中包含预先构建Electron版本 配置package.json以启动主进程 从主进程 ...
随机推荐
- SpringCloud zuul 网关限流分析
最近项目中 spring cloud zuul 运用到限流功能,打算配置一下就直接使用,不过在压测与调优过程中遇到一些没有预测到的问题,附上排查与解析结果 yml.pom配置 强烈推荐,按最新gith ...
- 我为什么不鼓吹 WireGuard
原文链接:https://fuckcloudnative.io/posts/why-not-wireguard/ 最近有一款新型 VPN 工具备受瞩目,相信很多人已经听说过了,没错就是 WireGua ...
- H3C防火墙开启区域间互访
配置ip和路由以及将端口放至Untrust之后,外网还是不通,需要以下命令 interzone policy default by-priority 或者下面: security-zone intra ...
- Mysql数据库下InnoDB数据引擎下的事务详解
一.什么是数据库事务? 数据库事务( transaction)是访问并可能操作各种数据项的一个数据库操作序列,这些操作要么全部执行,要么全部不执行,是一个不可分割的工作单位.事务由事务开始与事务结束之 ...
- centos7-docker的安装过程
一.卸载旧版本以及依赖(第一次安装忽略) sudo yum remove docker \ docker-client \ docker-client-latest \ docker-common \ ...
- 90% 的 Java 程序员都说不上来的为何 Java 代码越执行越快(1)- JIT编译优化
麻烦大家帮我投一票哈,谢谢 经常听到 Java 性能不如 C/C++ 的言论,也经常听说 Java 程序需要预热,那么其中主要原因是啥呢? 面试的时候谈到 JVM,也有很多面试官喜欢问,为啥 Java ...
- Oracle删除表中的重复数据
Oracle数据库删除表中的重复数据,只保留其中的一条,以两个字段为例,提供两种方法 ①.直接delete重复的数据 delete from table_name t1 where (t1.col1, ...
- Docker (一、dockerfile-node.js)
1.基本说明 Dockfile是一个用于编写docker镜像生成过程的文件,其有特定的语法.在一个文件夹中,如果有一个名字为Dockfile的文件,其内容满足语法要求,在这个文件夹路径下执行命令:do ...
- H3C交换机堆叠
(1) 配置Device A# 将用作IRF物理端口的Ten-GigabitEthernet1/0/1-Ten-GigabitEthernet1/0/4的手工关闭.使用端口批量配置功能可以更 ...
- UML——活动图
宏观导图 是森马? 活动图,属于UML中动态建模工具图,它描述活动的顺序,展现从一个活动到另一个活动的控制流.活动图着重表现从一个活动到另一个活动的控制流,是内部处理驱动的流程. 其实,说白了 ...