• CodeQL query help documentation »
• CodeQL query help for JavaScript and TypeScript »

Enabling Electron allowRunningInsecureContent

ID: js/enabling-electron-insecure-content Kind: problem Security severity: 8.8 Severity: error Precision: very-high Tags: - security - frameworks/electron - external/cwe/cwe-494 Query suites: - javascript-code-scanning.qls - javascript-security-extended.qls - javascript-security-and-quality.qls 

Click to see the query in the CodeQL repository

Electron is secure by default through a policy banning the execution of content loaded over HTTP. Setting the allowRunningInsecureContent property of a webPreferences object to true will disable this policy.

Enabling the execution of insecure content is strongly discouraged.

Recommendation

Do not enable the allowRunningInsecureContent property.

Example

The following example shows allowRunningInsecureContent being enabled.

constmainWindow=newBrowserWindow({webPreferences:{allowRunningInsecureContent:true}})

This is problematic, since it allows the execution of code from an untrusted origin.

References

• Electron Documentation: Security, Native Capabilities, and Your Responsibility

• Common Weakness Enumeration: CWE-494.

• © GitHub, Inc.
• Terms
• Privacy