• CodeQL query help documentation »
• CodeQL query help for JavaScript and TypeScript »

Disabling Electron webSecurity

ID: js/disabling-electron-websecurity Kind: problem Security severity: 6.1 Severity: error Precision: very-high Tags: - security - frameworks/electron - external/cwe/cwe-79 Query suites: - javascript-code-scanning.qls - javascript-security-extended.qls - javascript-security-and-quality.qls 

Click to see the query in the CodeQL repository

Electron is secure by default through a same-origin policy requiring all JavaScript and CSS code to originate from the machine running the Electron application. Setting the webSecurity property of a webPreferences object to false will disable the same-origin policy.

Disabling the same-origin policy is strongly discouraged.

Recommendation

Do not disable webSecurity.

Example

The following example shows webSecurity being disabled.

constmainWindow=newBrowserWindow({webPreferences:{webSecurity:false}})

This is problematic, since it allows the execution of insecure code from other domains.

References

• Electron Documentation: Security, Native Capabilities, and Your Responsibility

• Common Weakness Enumeration: CWE-79.

• © GitHub, Inc.
• Terms
• Privacy