Electron Security All In One
Electron Security All In One
https://www.electronjs.org/docs/tutorial/security
CSP
Content-Security-Policy
Electron Security Warning (Insecure Content-Security-Policy) This renderer process has either no Content Security Policy set or a policy with "unsafe-eval" enabled.
This exposes users of this app to unnecessary security risks.
For more information and help, consult
https://electronjs.org/docs/tutorial/security.
This warning will not show up
once the app is packaged.
(anonymous) @ electron/js2c/renderer_init.js:111
"./lib/renderer/security-warnings.ts": /*!*******************************************!*\
!*** ./lib/renderer/security-warnings.ts ***!
\*******************************************/
/*! no static exports found */
function(e, t, r) {
"use strict";
(function(e) {
Object.defineProperty(t, "__esModule", {
value: !0
});
const n = r(/*! electron */
"./lib/renderer/api/exports/electron.ts")
, i = r(/*! @electron/internal/renderer/ipc-renderer-internal */
"./lib/renderer/ipc-renderer-internal.ts");
let o = null;
const {platform: s, execPath: a, env: c} = e
, getIsRemoteProtocol = function() {
if (window && window.location && window.location.protocol)
return /^(http|ftp)s?/gi.test(window.location.protocol)
}
, isLocalhost = function() {
return !(!window || !window.location) && "localhost" === window.location.hostname
}
, l = "\nFor more information and help, consult\nhttps://electronjs.org/docs/tutorial/security.\nThis warning will not show up\nonce the app is packaged."
, warnAboutInsecureCSP = function() {
n.webFrame._executeJavaScript(`(${(()=>{
try {
new Function("")
} catch {
return !1
}
return !0
}
).toString()})()`, !1).then(e=>{
if (!e)
return;
const t = `This renderer process has either no Content Security\n Policy set or a policy with "unsafe-eval" enabled. This exposes users of\n this app to unnecessary security risks.\n${l}`;
console.warn("%cElectron Security Warning (Insecure Content-Security-Policy)", "font-weight: bold;", t)
}
)
}
, logSecurityWarnings = function(e, t) {
!function(e) {
if (e && !isLocalhost() && getIsRemoteProtocol()) {
const e = `This renderer process has Node.js integration enabled\n and attempted to load remote content from '${window.location}'. This\n exposes users of this app to severe security risks.\n${l}`;
console.warn("%cElectron Security Warning (Node.js Integration with Remote Content)", "font-weight: bold;", e)
}
}(t),
function(e) {
if (!e || !1 !== e.webSecurity)
return;
const t = `This renderer process has "webSecurity" disabled. This\n exposes users of this app to severe security risks.\n${l}`;
console.warn("%cElectron Security Warning (Disabled webSecurity)", "font-weight: bold;", t)
}(e),
function() {
if (!window || !window.performance || !window.performance.getEntriesByType)
return;
const e = window.performance.getEntriesByType("resource").filter(({name: e})=>/^(http|ftp):/gi.test(e || "")).filter(({name: e})=>"localhost" !== new URL(e).hostname).map(({name: e})=>`- ${e}`).join("\n");
if (!e || 0 === e.length)
return;
const t = `This renderer process loads resources using insecure\n protocols. This exposes users of this app to unnecessary security risks.\n Consider loading the following resources over HTTPS or FTPS. \n${e}\n \n${l}`;
console.warn("%cElectron Security Warning (Insecure Resources)", "font-weight: bold;", t)
}(),
function(e) {
if (!e || !e.allowRunningInsecureContent)
return;
const t = `This renderer process has "allowRunningInsecureContent"\n enabled. This exposes users of this app to severe security risks.\n\n ${l}`;
console.warn("%cElectron Security Warning (allowRunningInsecureContent)", "font-weight: bold;", t)
}(e),
function(e) {
if (!e || !e.experimentalFeatures)
return;
const t = `This renderer process has "experimentalFeatures" enabled.\n This exposes users of this app to some security risk. If you do not need\n this feature, you should disable it.\n${l}`;
console.warn("%cElectron Security Warning (experimentalFeatures)", "font-weight: bold;", t)
}(e),
function(e) {
if (!e || !Object.prototype.hasOwnProperty.call(e, "enableBlinkFeatures") || e.enableBlinkFeatures && 0 === e.enableBlinkFeatures.length)
return;
const t = `This renderer process has additional "enableBlinkFeatures"\n enabled. This exposes users of this app to some security risk. If you do not\n need this feature, you should disable it.\n${l}`;
console.warn("%cElectron Security Warning (enableBlinkFeatures)", "font-weight: bold;", t)
}(e),
warnAboutInsecureCSP(),
function() {
if (document && document.querySelectorAll) {
const e = document.querySelectorAll("[allowpopups]");
if (!e || 0 === e.length)
return;
const t = `A <webview> has "allowpopups" set to true. This exposes\n users of this app to some security risk, since popups are just\n BrowserWindows. If you do not need this feature, you should disable it.\n\n ${l}`;
console.warn("%cElectron Security Warning (allowpopups)", "font-weight: bold;", t)
}
}(),
function(e) {
if (!e || isLocalhost())
return;
if ((null == e.enableRemoteModule || !!e.enableRemoteModule) && getIsRemoteProtocol()) {
const e = `This renderer process has "enableRemoteModule" enabled\n and attempted to load remote content from '${window.location}'. This\n exposes users of this app to unnecessary security risks.\n${l}`;
console.warn("%cElectron Security Warning (enableRemoteModule)", "font-weight: bold;", e)
}
}(e)
};
t.securityWarnings = function securityWarnings(e) {
window.addEventListener("load", (async function() {
if (function() {
if (null !== o)
return o;
switch (s) {
case "darwin":
o = a.endsWith("MacOS/Electron") || a.includes("Electron.app/Contents/Frameworks/");
break;
case "freebsd":
case "linux":
o = a.endsWith("/electron");
break;
case "win32":
o = a.endsWith("\\electron.exe");
break;
default:
o = !1
}
return (c && c.ELECTRON_DISABLE_SECURITY_WARNINGS || window && window.ELECTRON_DISABLE_SECURITY_WARNINGS) && (o = !1),
(c && c.ELECTRON_ENABLE_SECURITY_WARNINGS || window && window.ELECTRON_ENABLE_SECURITY_WARNINGS) && (o = !0),
o
}()) {
const t = await async function() {
try {
return i.ipcRendererInternal.invoke("ELECTRON_BROWSER_GET_LAST_WEB_PREFERENCES")
} catch (e) {
console.warn(`getLastWebPreferences() failed: ${e}`)
}
}();
logSecurityWarnings(t, e)
}
}
), {
once: !0
})
}
}
).call(this, r(/*! @electron/internal/renderer/webpack-provider */
"./lib/renderer/webpack-provider.ts").process)
},
refs
xgqfrms 2012-2020
www.cnblogs.com 发布文章使用:只允许注册用户才可以访问!
Electron Security All In One的更多相关文章
- electron-vue 运行项目时会报Electron Security Warning (Node.js Integration with Remote Content)警告
使用electron-vue时,运行项目总会出现如下警告: 解决方法:在src/renderer/main.js中加入: process.env['ELECTRON_DISABLE_SECURITY_ ...
- electron 基础
electron 基础 前文我们快速的用了一下 electron.本篇将进一步介绍其基础知识点,例如:生命周期.主进程和渲染进程通信.contextBridge.预加载(禁用node集成).优雅的显示 ...
- Bug Bounty Reference
https://github.com/ngalongc/bug-bounty-reference/blob/master/README.md#remote-code-execution Bug Bou ...
- npm 打包 electron app 报错问题
在进行desktop打包过程中,遇到如下报错: 0 info it worked if it ends with ok 1 verbose cli [ 'C:\\Program Files\\node ...
- (译)通过 HTML、JS 和 Electron 创建你的第一个桌面应用
原文:Creating Your First Desktop App With HTML, JS and Electron 作者:Danny Markov 近年来 web 应用变得越来越强大,但是桌面 ...
- electron应用以管理员权限启动
最近在用electron开发PC桌面应用,其中有个需求就是整个应用以管理员权限启动.很头痛,各种google,baidu. 最后终于解决了,可以分为三个步骤,做个总结分享. 一.如果没有manifes ...
- ref:web security最新学习资料收集
ref:https://chybeta.github.io/2017/08/19/Web-Security-Learning/ ref:https://github.com/CHYbeta/Web-S ...
- electron 集成 SQLCipher
mac 安装 brew /usr/bin/ruby -e "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/m ...
- 第二章 你第首个Electron应用 | Electron in Action(中译)
本章主要内容 构建并启动Electron应用 生成package.json,配置成Electron应用 在你的项目中包含预先构建Electron版本 配置package.json以启动主进程 从主进程 ...
随机推荐
- OpenStack各组件的常用命令
openstack命令 openstack-service restart #重启openstack服务 openstack endpoint-list #查看openstack的 ...
- jmeter报Address already in use: connect
jmeter报Address already in use: connect 用windows进行jmeter压测出现java.net.BindException: Address already ...
- jmeter-登录获取cookie后参数化,或手动添加cookie, 再进行并发测试
以下情况其实并不适用于直接登录可以获取cookie情况,直接可以登录成功,直接添加cookie管理,cookie可以直接使用用于以下请求操作. 如果登录一次后,后续许多操作,可以将cookie管理器放 ...
- 关于Java客户端连接虚拟机中的Kafka时,无法发送、接收消息的问题
kafka通过控制台模拟消息发送和消息接收正常,但是通过javaAPI操作生产者发送消息不成功 消费者接收不到数据解决方案? 1.问题排查 (1)首先通过在服务器上使用命令行来模拟生产.消费数据,发现 ...
- odoo-nginx 配置之80端口
1 upstream odoo { 2 server 127.0.0.1:8069 weight=1 fail_timeout=0; 3 } 4 5 upstream odoo-im { 6 serv ...
- Docker+Prometheus+Alertmanager+Webhook钉钉告警
Docker+Prometheus+Alertmanager+Webhook钉钉告警 1.环境部署 1.1 二进制部署 1.2 docker部署 1.2.1 webhook 1.2.2 alertma ...
- Web信息收集之搜索引擎-Zoomeye Hacking
Web信息收集之搜索引擎-Zoomeye Hacking https://www.zoomeye.org ZoomEye(钟馗之眼)是一个面向网络空间的搜索引擎,"国产的Shodan&quo ...
- Spring boot 自定义注解标签记录系统访问日志
package io.renren.common.annotation; import java.lang.annotation.Documented; import java.lang.annota ...
- kafka背着你做了什么?
Kafka中有broker.主题.分区.副本等概念,底层有日志和日志分片. 我们先简单介绍一下这些概念,做个类比. broker可以简单理解为一台物理机,其实一台机器上可以有多个broker进程,但是 ...
- 阅读笔记:ImageNet Classification with Deep Convolutional Neural Networks
概要: 本文中的Alexnet神经网络在LSVRC-2010图像分类比赛中得到了第一名和第五名,将120万高分辨率的图像分到1000不同的类别中,分类结果比以往的神经网络的分类都要好.为了训练更快,使 ...