Disabling Electron webSecurity¶
ID: js/disabling-electron-websecurity
Kind: problem
Security severity: 6.1
Severity: error
Precision: very-high
Tags:
- security
- frameworks/electron
- external/cwe/cwe-79
Query suites:
- javascript-code-scanning.qls
- javascript-security-extended.qls
- javascript-security-and-quality.qls
Click to see the query in the CodeQL repository
Electron is secure by default through a same-origin policy requiring all JavaScript and CSS code to originate from the machine running the Electron application. Setting the webSecurity
property of a webPreferences
object to false
will disable the same-origin policy.
Disabling the same-origin policy is strongly discouraged.
Recommendation¶
Do not disable webSecurity
.
Example¶
The following example shows webSecurity
being disabled.
const mainWindow = new BrowserWindow({
webPreferences: {
webSecurity: false
}
})
This is problematic, since it allows the execution of insecure code from other domains.
References¶
Electron Documentation: Security, Native Capabilities, and Your Responsibility
Common Weakness Enumeration: CWE-79.