CodeQL documentation

Enabling Electron allowRunningInsecureContent

ID: js/enabling-electron-insecure-content
Kind: problem
Severity: error
Precision: very-high
   - security
   - frameworks/electron
Query suites:
   - javascript-code-scanning.qls
   - javascript-security-extended.qls
   - javascript-security-and-quality.qls

Click to see the query in the CodeQL repository

Electron is secure by default through a policy banning the execution of content loaded over HTTP. Setting the allowRunningInsecureContent property of a webPreferences object to true will disable this policy.

Enabling the execution of insecure content is strongly discouraged.


Do not enable the allowRunningInsecureContent property.


The following example shows allowRunningInsecureContent being enabled.

const mainWindow = new BrowserWindow({
  webPreferences: {
    allowRunningInsecureContent: true

This is problematic, since it allows the execution of code from an untrusted origin.