Electron Security All In One
Electron Security All In One
https://www.electronjs.org/docs/tutorial/security
CSP
Content-Security-Policy
Electron Security Warning (Insecure Content-Security-Policy) This renderer process has either no Content Security Policy set or a policy with "unsafe-eval" enabled.
This exposes users of this app to unnecessary security risks.
For more information and help, consult
https://electronjs.org/docs/tutorial/security.
This warning will not show up
once the app is packaged.
(anonymous) @ electron/js2c/renderer_init.js:111
"./lib/renderer/security-warnings.ts": /*!*******************************************!*\
!*** ./lib/renderer/security-warnings.ts ***!
\*******************************************/
/*! no static exports found */
function(e, t, r) {
"use strict";
(function(e) {
Object.defineProperty(t, "__esModule", {
value: !0
});
const n = r(/*! electron */
"./lib/renderer/api/exports/electron.ts")
, i = r(/*! @electron/internal/renderer/ipc-renderer-internal */
"./lib/renderer/ipc-renderer-internal.ts");
let o = null;
const {platform: s, execPath: a, env: c} = e
, getIsRemoteProtocol = function() {
if (window && window.location && window.location.protocol)
return /^(http|ftp)s?/gi.test(window.location.protocol)
}
, isLocalhost = function() {
return !(!window || !window.location) && "localhost" === window.location.hostname
}
, l = "\nFor more information and help, consult\nhttps://electronjs.org/docs/tutorial/security.\nThis warning will not show up\nonce the app is packaged."
, warnAboutInsecureCSP = function() {
n.webFrame._executeJavaScript(`(${(()=>{
try {
new Function("")
} catch {
return !1
}
return !0
}
).toString()})()`, !1).then(e=>{
if (!e)
return;
const t = `This renderer process has either no Content Security\n Policy set or a policy with "unsafe-eval" enabled. This exposes users of\n this app to unnecessary security risks.\n${l}`;
console.warn("%cElectron Security Warning (Insecure Content-Security-Policy)", "font-weight: bold;", t)
}
)
}
, logSecurityWarnings = function(e, t) {
!function(e) {
if (e && !isLocalhost() && getIsRemoteProtocol()) {
const e = `This renderer process has Node.js integration enabled\n and attempted to load remote content from '${window.location}'. This\n exposes users of this app to severe security risks.\n${l}`;
console.warn("%cElectron Security Warning (Node.js Integration with Remote Content)", "font-weight: bold;", e)
}
}(t),
function(e) {
if (!e || !1 !== e.webSecurity)
return;
const t = `This renderer process has "webSecurity" disabled. This\n exposes users of this app to severe security risks.\n${l}`;
console.warn("%cElectron Security Warning (Disabled webSecurity)", "font-weight: bold;", t)
}(e),
function() {
if (!window || !window.performance || !window.performance.getEntriesByType)
return;
const e = window.performance.getEntriesByType("resource").filter(({name: e})=>/^(http|ftp):/gi.test(e || "")).filter(({name: e})=>"localhost" !== new URL(e).hostname).map(({name: e})=>`- ${e}`).join("\n");
if (!e || 0 === e.length)
return;
const t = `This renderer process loads resources using insecure\n protocols. This exposes users of this app to unnecessary security risks.\n Consider loading the following resources over HTTPS or FTPS. \n${e}\n \n${l}`;
console.warn("%cElectron Security Warning (Insecure Resources)", "font-weight: bold;", t)
}(),
function(e) {
if (!e || !e.allowRunningInsecureContent)
return;
const t = `This renderer process has "allowRunningInsecureContent"\n enabled. This exposes users of this app to severe security risks.\n\n ${l}`;
console.warn("%cElectron Security Warning (allowRunningInsecureContent)", "font-weight: bold;", t)
}(e),
function(e) {
if (!e || !e.experimentalFeatures)
return;
const t = `This renderer process has "experimentalFeatures" enabled.\n This exposes users of this app to some security risk. If you do not need\n this feature, you should disable it.\n${l}`;
console.warn("%cElectron Security Warning (experimentalFeatures)", "font-weight: bold;", t)
}(e),
function(e) {
if (!e || !Object.prototype.hasOwnProperty.call(e, "enableBlinkFeatures") || e.enableBlinkFeatures && 0 === e.enableBlinkFeatures.length)
return;
const t = `This renderer process has additional "enableBlinkFeatures"\n enabled. This exposes users of this app to some security risk. If you do not\n need this feature, you should disable it.\n${l}`;
console.warn("%cElectron Security Warning (enableBlinkFeatures)", "font-weight: bold;", t)
}(e),
warnAboutInsecureCSP(),
function() {
if (document && document.querySelectorAll) {
const e = document.querySelectorAll("[allowpopups]");
if (!e || 0 === e.length)
return;
const t = `A <webview> has "allowpopups" set to true. This exposes\n users of this app to some security risk, since popups are just\n BrowserWindows. If you do not need this feature, you should disable it.\n\n ${l}`;
console.warn("%cElectron Security Warning (allowpopups)", "font-weight: bold;", t)
}
}(),
function(e) {
if (!e || isLocalhost())
return;
if ((null == e.enableRemoteModule || !!e.enableRemoteModule) && getIsRemoteProtocol()) {
const e = `This renderer process has "enableRemoteModule" enabled\n and attempted to load remote content from '${window.location}'. This\n exposes users of this app to unnecessary security risks.\n${l}`;
console.warn("%cElectron Security Warning (enableRemoteModule)", "font-weight: bold;", e)
}
}(e)
};
t.securityWarnings = function securityWarnings(e) {
window.addEventListener("load", (async function() {
if (function() {
if (null !== o)
return o;
switch (s) {
case "darwin":
o = a.endsWith("MacOS/Electron") || a.includes("Electron.app/Contents/Frameworks/");
break;
case "freebsd":
case "linux":
o = a.endsWith("/electron");
break;
case "win32":
o = a.endsWith("\\electron.exe");
break;
default:
o = !1
}
return (c && c.ELECTRON_DISABLE_SECURITY_WARNINGS || window && window.ELECTRON_DISABLE_SECURITY_WARNINGS) && (o = !1),
(c && c.ELECTRON_ENABLE_SECURITY_WARNINGS || window && window.ELECTRON_ENABLE_SECURITY_WARNINGS) && (o = !0),
o
}()) {
const t = await async function() {
try {
return i.ipcRendererInternal.invoke("ELECTRON_BROWSER_GET_LAST_WEB_PREFERENCES")
} catch (e) {
console.warn(`getLastWebPreferences() failed: ${e}`)
}
}();
logSecurityWarnings(t, e)
}
}
), {
once: !0
})
}
}
).call(this, r(/*! @electron/internal/renderer/webpack-provider */
"./lib/renderer/webpack-provider.ts").process)
},
refs
xgqfrms 2012-2020
www.cnblogs.com 发布文章使用:只允许注册用户才可以访问!
Electron Security All In One的更多相关文章
- electron-vue 运行项目时会报Electron Security Warning (Node.js Integration with Remote Content)警告
使用electron-vue时,运行项目总会出现如下警告: 解决方法:在src/renderer/main.js中加入: process.env['ELECTRON_DISABLE_SECURITY_ ...
- electron 基础
electron 基础 前文我们快速的用了一下 electron.本篇将进一步介绍其基础知识点,例如:生命周期.主进程和渲染进程通信.contextBridge.预加载(禁用node集成).优雅的显示 ...
- Bug Bounty Reference
https://github.com/ngalongc/bug-bounty-reference/blob/master/README.md#remote-code-execution Bug Bou ...
- npm 打包 electron app 报错问题
在进行desktop打包过程中,遇到如下报错: 0 info it worked if it ends with ok 1 verbose cli [ 'C:\\Program Files\\node ...
- (译)通过 HTML、JS 和 Electron 创建你的第一个桌面应用
原文:Creating Your First Desktop App With HTML, JS and Electron 作者:Danny Markov 近年来 web 应用变得越来越强大,但是桌面 ...
- electron应用以管理员权限启动
最近在用electron开发PC桌面应用,其中有个需求就是整个应用以管理员权限启动.很头痛,各种google,baidu. 最后终于解决了,可以分为三个步骤,做个总结分享. 一.如果没有manifes ...
- ref:web security最新学习资料收集
ref:https://chybeta.github.io/2017/08/19/Web-Security-Learning/ ref:https://github.com/CHYbeta/Web-S ...
- electron 集成 SQLCipher
mac 安装 brew /usr/bin/ruby -e "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/m ...
- 第二章 你第首个Electron应用 | Electron in Action(中译)
本章主要内容 构建并启动Electron应用 生成package.json,配置成Electron应用 在你的项目中包含预先构建Electron版本 配置package.json以启动主进程 从主进程 ...
随机推荐
- 不支持的字符集 (在类路径中添加 orai18n.jar): ZHS16GBK
不支持的字符集 (在类路径中添加 orai18n.jar): ZHS16GBK 报错图示: 报错内容: Exception in thread "main" java.sql.SQ ...
- Linux服务器内存池技术是如何实现的
Linux服务器内存池技术是如何实现的
- aio 系列函数是由 POSIX 定义的异步操作接口,可惜的是,Linux 下的 aio 操作,不是真正的操作系统级别支持的,它只是由 GNU libc 库函数在用户空间借由 pthread 方式实现的,而且仅仅针对磁盘类 I/O,套接字 I/O 不支持。
30 | 真正的大杀器:异步I/O探索 https://time.geekbang.org/column/article/150780
- session和cookie自动登录机制
cookie的存储 cookie是浏览器支持的一种本地存储方式.以dict,键值对方式存储. {"sessionkey": "123"} 浏览器会自动对于它进行 ...
- 长连接 短连接 RST报文
https://baike.baidu.com/item/短连接 短连接(short connnection)是相对于长连接而言的概念,指的是在数据传送过程中,只在需要发送数据时,才去建立一个连接,数 ...
- tcp服务器
如同上面的电话机过程一样,在程序中,如果想要完成一个tcp服务器的功能,需要的流程如下: socket创建一个套接字 bind绑定ip和port listen使套接字变为可以被动链接 accept等待 ...
- .Net框架的概念和运行原理
原文 https://blog.csdn.net/WandDouDou/article/details/80678449
- 配合 jekins—springboot脚本
#!/usr/bin/bash # author : renguangyin@yingu.com current=$(cd `dirname $0`; pwd) cd ${current} ext_n ...
- python--基础3(流程语句)
资源池 链接:https://pan.baidu.com/s/1OGq0GaVcAuYEk4F71v0RWw 提取码:h2sd 本章内容: if判断语句 for循环语句 while循环语句 break ...
- Educational Codeforces Round 102 (Rated for Div. 2) B. String LCM (构造,思维)
题意:给你两个字符串\(a\)和\(b\),找出它们的\(lcm\),即构造一个新的字符串\(c\),使得\(c\)可以由\(x\)个\(a\)得到,并且可以由\(y\)个\(b\)得到,输出\(c\ ...