Disabling Electron webSecurity¶

ID: js/disabling-electron-websecurity
Kind: problem
Security severity: 6.1
Severity: error
Precision: very-high
Tags:
   - security
   - frameworks/electron
   - external/cwe/cwe-079
Query suites:
   - javascript-code-scanning.qls
   - javascript-security-extended.qls
   - javascript-security-and-quality.qls

Click to see the query in the CodeQL repository

Electron is secure by default through a same-origin policy requiring all JavaScript and CSS code to originate from the machine running the Electron application. Setting the webSecurity property of a webPreferences object to false will disable the same-origin policy.

Disabling the same-origin policy is strongly discouraged.

Recommendation¶

Do not disable webSecurity.

Example¶

The following example shows webSecurity being disabled.

const mainWindow = new BrowserWindow({
  webPreferences: {
    webSecurity: false
  }
})

This is problematic, since it allows the execution of insecure code from other domains.

References¶

Electron Documentation: Security, Native Capabilities, and Your Responsibility
Common Weakness Enumeration: CWE-79.

© GitHub, Inc.
Terms
Privacy