Electron Security All In One
https://www.electronjs.org/docs/tutorial/security
CSP
Content-Security-Policy
Electron Security Warning (Insecure Content-Security-Policy) This renderer process has either no Content Security Policy set or a policy with "unsafe-eval" enabled.
This exposes users of this app to unnecessary security risks.
For more information and help, consult
https://electronjs.org/docs/tutorial/security.
This warning will not show up
once the app is packaged.
(anonymous) @ electron/js2c/renderer_init.js:111
"./lib/renderer/security-warnings.ts": /*!*******************************************!*
!*** ./lib/renderer/security-warnings.ts ***!
*******************************************/
/*! no static exports found */
function(e, t, r) {
"use strict";
(function(e) {
Object.defineProperty(t, "__esModule", {
value: !0
});
const n = r(/*! electron */
"./lib/renderer/api/exports/electron.ts")
, i = r(/*! @electron/internal/renderer/ipc-renderer-internal */
"./lib/renderer/ipc-renderer-internal.ts");
let o = null;
const {platform: s, execPath: a, env: c} = e
, getIsRemoteProtocol = function() {
if (window && window.location && window.location.protocol)
return /^(http|ftp)s?/gi.test(window.location.protocol)
}
, isLocalhost = function() {
return !(!window || !window.location) && "localhost" === window.location.hostname
}
, l = "
For more information and help, consult
https://electronjs.org/docs/tutorial/security.
This warning will not show up
once the app is packaged."
, warnAboutInsecureCSP = function() {
n.webFrame._executeJavaScript(`(${(()=>{
try {
new Function("")
} catch {
return !1
}
return !0
}
).toString()})()`, !1).then(e=>{
if (!e)
return;
const t = `This renderer process has either no Content Security
Policy set or a policy with "unsafe-eval" enabled. This exposes users of
this app to unnecessary security risks.
${l}`;
console.warn("%cElectron Security Warning (Insecure Content-Security-Policy)", "font-weight: bold;", t)
}
)
}
, logSecurityWarnings = function(e, t) {
!function(e) {
if (e && !isLocalhost() && getIsRemoteProtocol()) {
const e = `This renderer process has Node.js integration enabled
and attempted to load remote content from '${window.location}'. This
exposes users of this app to severe security risks.
${l}`;
console.warn("%cElectron Security Warning (Node.js Integration with Remote Content)", "font-weight: bold;", e)
}
}(t),
function(e) {
if (!e || !1 !== e.webSecurity)
return;
const t = `This renderer process has "webSecurity" disabled. This
exposes users of this app to severe security risks.
${l}`;
console.warn("%cElectron Security Warning (Disabled webSecurity)", "font-weight: bold;", t)
}(e),
function() {
if (!window || !window.performance || !window.performance.getEntriesByType)
return;
const e = window.performance.getEntriesByType("resource").filter(({name: e})=>/^(http|ftp):/gi.test(e || "")).filter(({name: e})=>"localhost" !== new URL(e).hostname).map(({name: e})=>`- ${e}`).join("
");
if (!e || 0 === e.length)
return;
const t = `This renderer process loads resources using insecure
protocols. This exposes users of this app to unnecessary security risks.
Consider loading the following resources over HTTPS or FTPS.
${e}
${l}`;
console.warn("%cElectron Security Warning (Insecure Resources)", "font-weight: bold;", t)
}(),
function(e) {
if (!e || !e.allowRunningInsecureContent)
return;
const t = `This renderer process has "allowRunningInsecureContent"
enabled. This exposes users of this app to severe security risks.
${l}`;
console.warn("%cElectron Security Warning (allowRunningInsecureContent)", "font-weight: bold;", t)
}(e),
function(e) {
if (!e || !e.experimentalFeatures)
return;
const t = `This renderer process has "experimentalFeatures" enabled.
This exposes users of this app to some security risk. If you do not need
this feature, you should disable it.
${l}`;
console.warn("%cElectron Security Warning (experimentalFeatures)", "font-weight: bold;", t)
}(e),
function(e) {
if (!e || !Object.prototype.hasOwnProperty.call(e, "enableBlinkFeatures") || e.enableBlinkFeatures && 0 === e.enableBlinkFeatures.length)
return;
const t = `This renderer process has additional "enableBlinkFeatures"
enabled. This exposes users of this app to some security risk. If you do not
need this feature, you should disable it.
${l}`;
console.warn("%cElectron Security Warning (enableBlinkFeatures)", "font-weight: bold;", t)
}(e),
warnAboutInsecureCSP(),
function() {
if (document && document.querySelectorAll) {
const e = document.querySelectorAll("[allowpopups]");
if (!e || 0 === e.length)
return;
const t = `A <webview> has "allowpopups" set to true. This exposes
users of this app to some security risk, since popups are just
BrowserWindows. If you do not need this feature, you should disable it.
${l}`;
console.warn("%cElectron Security Warning (allowpopups)", "font-weight: bold;", t)
}
}(),
function(e) {
if (!e || isLocalhost())
return;
if ((null == e.enableRemoteModule || !!e.enableRemoteModule) && getIsRemoteProtocol()) {
const e = `This renderer process has "enableRemoteModule" enabled
and attempted to load remote content from '${window.location}'. This
exposes users of this app to unnecessary security risks.
${l}`;
console.warn("%cElectron Security Warning (enableRemoteModule)", "font-weight: bold;", e)
}
}(e)
};
t.securityWarnings = function securityWarnings(e) {
window.addEventListener("load", (async function() {
if (function() {
if (null !== o)
return o;
switch (s) {
case "darwin":
o = a.endsWith("MacOS/Electron") || a.includes("Electron.app/Contents/Frameworks/");
break;
case "freebsd":
case "linux":
o = a.endsWith("/electron");
break;
case "win32":
o = a.endsWith("\electron.exe");
break;
default:
o = !1
}
return (c && c.ELECTRON_DISABLE_SECURITY_WARNINGS || window && window.ELECTRON_DISABLE_SECURITY_WARNINGS) && (o = !1),
(c && c.ELECTRON_ENABLE_SECURITY_WARNINGS || window && window.ELECTRON_ENABLE_SECURITY_WARNINGS) && (o = !0),
o
}()) {
const t = await async function() {
try {
return i.ipcRendererInternal.invoke("ELECTRON_BROWSER_GET_LAST_WEB_PREFERENCES")
} catch (e) {
console.warn(`getLastWebPreferences() failed: ${e}`)
}
}();
logSecurityWarnings(t, e)
}
}
), {
once: !0
})
}
}
).call(this, r(/*! @electron/internal/renderer/webpack-provider */
"./lib/renderer/webpack-provider.ts").process)
},
refs
©xgqfrms 2012-2020
www.cnblogs.com 发布文章使用:只允许注册用户才可以访问!