Enabling Electron allowRunningInsecureContent¶
ID: js/enabling-electron-insecure-content
Kind: problem
Security severity: 8.8
Severity: error
Precision: very-high
Tags:
- security
- frameworks/electron
- external/cwe/cwe-494
Query suites:
- javascript-code-scanning.qls
- javascript-security-extended.qls
- javascript-security-and-quality.qls
Click to see the query in the CodeQL repository
Electron is secure by default through a policy banning the execution of content loaded over HTTP. Setting the allowRunningInsecureContent
property of a webPreferences
object to true
will disable this policy.
Enabling the execution of insecure content is strongly discouraged.
Recommendation¶
Do not enable the allowRunningInsecureContent
property.
Example¶
The following example shows allowRunningInsecureContent
being enabled.
const mainWindow = new BrowserWindow({
webPreferences: {
allowRunningInsecureContent: true
}
})
This is problematic, since it allows the execution of code from an untrusted origin.
References¶
Electron Documentation: Security, Native Capabilities, and Your Responsibility
Common Weakness Enumeration: CWE-494.