Electron Security All In One
Electron Security All In One
https://www.electronjs.org/docs/tutorial/security
CSP
Content-Security-Policy
Electron Security Warning (Insecure Content-Security-Policy) This renderer process has either no Content Security Policy set or a policy with "unsafe-eval" enabled.
This exposes users of this app to unnecessary security risks.
For more information and help, consult
https://electronjs.org/docs/tutorial/security.
This warning will not show up
once the app is packaged.
(anonymous) @ electron/js2c/renderer_init.js:111
"./lib/renderer/security-warnings.ts": /*!*******************************************!*\
!*** ./lib/renderer/security-warnings.ts ***!
\*******************************************/
/*! no static exports found */
function(e, t, r) {
"use strict";
(function(e) {
Object.defineProperty(t, "__esModule", {
value: !0
});
const n = r(/*! electron */
"./lib/renderer/api/exports/electron.ts")
, i = r(/*! @electron/internal/renderer/ipc-renderer-internal */
"./lib/renderer/ipc-renderer-internal.ts");
let o = null;
const {platform: s, execPath: a, env: c} = e
, getIsRemoteProtocol = function() {
if (window && window.location && window.location.protocol)
return /^(http|ftp)s?/gi.test(window.location.protocol)
}
, isLocalhost = function() {
return !(!window || !window.location) && "localhost" === window.location.hostname
}
, l = "\nFor more information and help, consult\nhttps://electronjs.org/docs/tutorial/security.\nThis warning will not show up\nonce the app is packaged."
, warnAboutInsecureCSP = function() {
n.webFrame._executeJavaScript(`(${(()=>{
try {
new Function("")
} catch {
return !1
}
return !0
}
).toString()})()`, !1).then(e=>{
if (!e)
return;
const t = `This renderer process has either no Content Security\n Policy set or a policy with "unsafe-eval" enabled. This exposes users of\n this app to unnecessary security risks.\n${l}`;
console.warn("%cElectron Security Warning (Insecure Content-Security-Policy)", "font-weight: bold;", t)
}
)
}
, logSecurityWarnings = function(e, t) {
!function(e) {
if (e && !isLocalhost() && getIsRemoteProtocol()) {
const e = `This renderer process has Node.js integration enabled\n and attempted to load remote content from '${window.location}'. This\n exposes users of this app to severe security risks.\n${l}`;
console.warn("%cElectron Security Warning (Node.js Integration with Remote Content)", "font-weight: bold;", e)
}
}(t),
function(e) {
if (!e || !1 !== e.webSecurity)
return;
const t = `This renderer process has "webSecurity" disabled. This\n exposes users of this app to severe security risks.\n${l}`;
console.warn("%cElectron Security Warning (Disabled webSecurity)", "font-weight: bold;", t)
}(e),
function() {
if (!window || !window.performance || !window.performance.getEntriesByType)
return;
const e = window.performance.getEntriesByType("resource").filter(({name: e})=>/^(http|ftp):/gi.test(e || "")).filter(({name: e})=>"localhost" !== new URL(e).hostname).map(({name: e})=>`- ${e}`).join("\n");
if (!e || 0 === e.length)
return;
const t = `This renderer process loads resources using insecure\n protocols. This exposes users of this app to unnecessary security risks.\n Consider loading the following resources over HTTPS or FTPS. \n${e}\n \n${l}`;
console.warn("%cElectron Security Warning (Insecure Resources)", "font-weight: bold;", t)
}(),
function(e) {
if (!e || !e.allowRunningInsecureContent)
return;
const t = `This renderer process has "allowRunningInsecureContent"\n enabled. This exposes users of this app to severe security risks.\n\n ${l}`;
console.warn("%cElectron Security Warning (allowRunningInsecureContent)", "font-weight: bold;", t)
}(e),
function(e) {
if (!e || !e.experimentalFeatures)
return;
const t = `This renderer process has "experimentalFeatures" enabled.\n This exposes users of this app to some security risk. If you do not need\n this feature, you should disable it.\n${l}`;
console.warn("%cElectron Security Warning (experimentalFeatures)", "font-weight: bold;", t)
}(e),
function(e) {
if (!e || !Object.prototype.hasOwnProperty.call(e, "enableBlinkFeatures") || e.enableBlinkFeatures && 0 === e.enableBlinkFeatures.length)
return;
const t = `This renderer process has additional "enableBlinkFeatures"\n enabled. This exposes users of this app to some security risk. If you do not\n need this feature, you should disable it.\n${l}`;
console.warn("%cElectron Security Warning (enableBlinkFeatures)", "font-weight: bold;", t)
}(e),
warnAboutInsecureCSP(),
function() {
if (document && document.querySelectorAll) {
const e = document.querySelectorAll("[allowpopups]");
if (!e || 0 === e.length)
return;
const t = `A <webview> has "allowpopups" set to true. This exposes\n users of this app to some security risk, since popups are just\n BrowserWindows. If you do not need this feature, you should disable it.\n\n ${l}`;
console.warn("%cElectron Security Warning (allowpopups)", "font-weight: bold;", t)
}
}(),
function(e) {
if (!e || isLocalhost())
return;
if ((null == e.enableRemoteModule || !!e.enableRemoteModule) && getIsRemoteProtocol()) {
const e = `This renderer process has "enableRemoteModule" enabled\n and attempted to load remote content from '${window.location}'. This\n exposes users of this app to unnecessary security risks.\n${l}`;
console.warn("%cElectron Security Warning (enableRemoteModule)", "font-weight: bold;", e)
}
}(e)
};
t.securityWarnings = function securityWarnings(e) {
window.addEventListener("load", (async function() {
if (function() {
if (null !== o)
return o;
switch (s) {
case "darwin":
o = a.endsWith("MacOS/Electron") || a.includes("Electron.app/Contents/Frameworks/");
break;
case "freebsd":
case "linux":
o = a.endsWith("/electron");
break;
case "win32":
o = a.endsWith("\\electron.exe");
break;
default:
o = !1
}
return (c && c.ELECTRON_DISABLE_SECURITY_WARNINGS || window && window.ELECTRON_DISABLE_SECURITY_WARNINGS) && (o = !1),
(c && c.ELECTRON_ENABLE_SECURITY_WARNINGS || window && window.ELECTRON_ENABLE_SECURITY_WARNINGS) && (o = !0),
o
}()) {
const t = await async function() {
try {
return i.ipcRendererInternal.invoke("ELECTRON_BROWSER_GET_LAST_WEB_PREFERENCES")
} catch (e) {
console.warn(`getLastWebPreferences() failed: ${e}`)
}
}();
logSecurityWarnings(t, e)
}
}
), {
once: !0
})
}
}
).call(this, r(/*! @electron/internal/renderer/webpack-provider */
"./lib/renderer/webpack-provider.ts").process)
},
refs
xgqfrms 2012-2020
www.cnblogs.com 发布文章使用:只允许注册用户才可以访问!
Electron Security All In One的更多相关文章
- electron-vue 运行项目时会报Electron Security Warning (Node.js Integration with Remote Content)警告
使用electron-vue时,运行项目总会出现如下警告: 解决方法:在src/renderer/main.js中加入: process.env['ELECTRON_DISABLE_SECURITY_ ...
- electron 基础
electron 基础 前文我们快速的用了一下 electron.本篇将进一步介绍其基础知识点,例如:生命周期.主进程和渲染进程通信.contextBridge.预加载(禁用node集成).优雅的显示 ...
- Bug Bounty Reference
https://github.com/ngalongc/bug-bounty-reference/blob/master/README.md#remote-code-execution Bug Bou ...
- npm 打包 electron app 报错问题
在进行desktop打包过程中,遇到如下报错: 0 info it worked if it ends with ok 1 verbose cli [ 'C:\\Program Files\\node ...
- (译)通过 HTML、JS 和 Electron 创建你的第一个桌面应用
原文:Creating Your First Desktop App With HTML, JS and Electron 作者:Danny Markov 近年来 web 应用变得越来越强大,但是桌面 ...
- electron应用以管理员权限启动
最近在用electron开发PC桌面应用,其中有个需求就是整个应用以管理员权限启动.很头痛,各种google,baidu. 最后终于解决了,可以分为三个步骤,做个总结分享. 一.如果没有manifes ...
- ref:web security最新学习资料收集
ref:https://chybeta.github.io/2017/08/19/Web-Security-Learning/ ref:https://github.com/CHYbeta/Web-S ...
- electron 集成 SQLCipher
mac 安装 brew /usr/bin/ruby -e "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/m ...
- 第二章 你第首个Electron应用 | Electron in Action(中译)
本章主要内容 构建并启动Electron应用 生成package.json,配置成Electron应用 在你的项目中包含预先构建Electron版本 配置package.json以启动主进程 从主进程 ...
随机推荐
- Python hashlib的简单使用
hashlib模块针对不同的安全哈希和消息摘要算法实现了一个通用的接口,其中包括SHA1, SHA224, SHA256, SHA384, SHA512算法以及RSA的MD5算法. 使用方法 第一步 ...
- OpenDaylight — YANG
1. 介绍 YANG 是一种用于为 NETCONF 协议建模数据的语言. YANG 将数据的层次结构建模为一棵树. 2. 节点类型 2.1 leaf 它只有一个特定类型的值,并且没有子节点. YANG ...
- chain issues incorrect order,EXtra certs,Contains anchor
背景: 下载颁发下来的ssl证书安装好之后网站正常显示安全,但是通过ssl证书网站去检测报错误:chain issues incorrect order,EXtra certs,Contains an ...
- charles安装使用乱码连手机等问题解决方案
捣鼓半天终于安装好了,给大家分享下我的过程 1.安装, 正常网上安装即可,我安装了个有汉化包的,,推荐链接 安装方法下载破解版,安装即可 安装包地址:https://pan.baidu.com/s/1 ...
- Turbo Boyer-Moore algorithm
MySQL :: MySQL 8.0 Reference Manual :: 8.3.9 Comparison of B-Tree and Hash Indexes https://dev.mysql ...
- 不识Netty真面目,只缘未读此真经
Netty官网:https://netty.io/ Netty is an asynchronous event-driven network application framework for ra ...
- 深度学习论文翻译解析(十八):MobileNetV2: Inverted Residuals and Linear Bottlenecks
论文标题:MobileNetV2: Inverted Residuals and Linear Bottlenecks 论文作者:Mark Sandler Andrew Howard Menglong ...
- Linux——软件安装
Linux--软件安装 一.gcc 二.make 三.rpm 四.yum 一.gcc gcc是Linux上面最标准的C语言的编译程序,用来源代码的编译链接. gcc -c hello.c 编译产生目标 ...
- Java编程工具IDEA的使用
IDEA psvm + Enter 快速构建main方法 sout + Enter 快速打印与句 Ctrl+Shift + Enter,语句完成 Ctrl+F12,可以显示当前文件的结构 Ctrl + ...
- .net core 和 WPF 开发升讯威在线客服与营销系统:实现对 IE8 的完全完美支持 【干货】
本系列文章详细介绍使用 .net core 和 WPF 开发 升讯威在线客服与营销系统 的过程.本产品已经成熟稳定并投入商用. 在线演示环境:https://kf.shengxunwei.com 注意 ...