xgqfrms™, xgqfrms® : xgqfrms's offical website of GitHub!

Electron Security All In One

https://www.electronjs.org/docs/tutorial/security

CSP

Content-Security-Policy


Electron Security Warning (Insecure Content-Security-Policy) This renderer process has either no Content Security Policy set or a policy with "unsafe-eval" enabled.
This exposes users of this app to unnecessary security risks.

For more information and help, consult
https://electronjs.org/docs/tutorial/security.
This warning will not show up
once the app is packaged.
(anonymous) @ electron/js2c/renderer_init.js:111

            "./lib/renderer/security-warnings.ts": /*!*******************************************!*
  !*** ./lib/renderer/security-warnings.ts ***!
  *******************************************/
            /*! no static exports found */
            function(e, t, r) {
                "use strict";
                (function(e) {
                    Object.defineProperty(t, "__esModule", {
                        value: !0
                    });
                    const n = r(/*! electron */
                    "./lib/renderer/api/exports/electron.ts")
                      , i = r(/*! @electron/internal/renderer/ipc-renderer-internal */
                    "./lib/renderer/ipc-renderer-internal.ts");
                    let o = null;
                    const {platform: s, execPath: a, env: c} = e
                      , getIsRemoteProtocol = function() {
                        if (window && window.location && window.location.protocol)
                            return /^(http|ftp)s?/gi.test(window.location.protocol)
                    }
                      , isLocalhost = function() {
                        return !(!window || !window.location) && "localhost" === window.location.hostname
                    }
                      , l = "
For more information and help, consult
https://electronjs.org/docs/tutorial/security.
This warning will not show up
once the app is packaged."
                      , warnAboutInsecureCSP = function() {
                        n.webFrame._executeJavaScript(`(${(()=>{
                            try {
                                new Function("")
                            } catch {
                                return !1
                            }
                            return !0
                        }
                        ).toString()})()`, !1).then(e=>{
                            if (!e)
                                return;
                            const t = `This renderer process has either no Content Security
    Policy set or a policy with "unsafe-eval" enabled. This exposes users of
    this app to unnecessary security risks.
${l}`;
                            console.warn("%cElectron Security Warning (Insecure Content-Security-Policy)", "font-weight: bold;", t)
                        }
                        )
                    }
                      , logSecurityWarnings = function(e, t) {
                        !function(e) {
                            if (e && !isLocalhost() && getIsRemoteProtocol()) {
                                const e = `This renderer process has Node.js integration enabled
    and attempted to load remote content from '${window.location}'. This
    exposes users of this app to severe security risks.
${l}`;
                                console.warn("%cElectron Security Warning (Node.js Integration with Remote Content)", "font-weight: bold;", e)
                            }
                        }(t),
                        function(e) {
                            if (!e || !1 !== e.webSecurity)
                                return;
                            const t = `This renderer process has "webSecurity" disabled. This
  exposes users of this app to severe security risks.
${l}`;
                            console.warn("%cElectron Security Warning (Disabled webSecurity)", "font-weight: bold;", t)
                        }(e),
                        function() {
                            if (!window || !window.performance || !window.performance.getEntriesByType)
                                return;
                            const e = window.performance.getEntriesByType("resource").filter(({name: e})=>/^(http|ftp):/gi.test(e || "")).filter(({name: e})=>"localhost" !== new URL(e).hostname).map(({name: e})=>`- ${e}`).join("
");
                            if (!e || 0 === e.length)
                                return;
                            const t = `This renderer process loads resources using insecure
  protocols. This exposes users of this app to unnecessary security risks.
  Consider loading the following resources over HTTPS or FTPS. 
${e}
  
${l}`;
                            console.warn("%cElectron Security Warning (Insecure Resources)", "font-weight: bold;", t)
                        }(),
                        function(e) {
                            if (!e || !e.allowRunningInsecureContent)
                                return;
                            const t = `This renderer process has "allowRunningInsecureContent"
  enabled. This exposes users of this app to severe security risks.

  ${l}`;
                            console.warn("%cElectron Security Warning (allowRunningInsecureContent)", "font-weight: bold;", t)
                        }(e),
                        function(e) {
                            if (!e || !e.experimentalFeatures)
                                return;
                            const t = `This renderer process has "experimentalFeatures" enabled.
  This exposes users of this app to some security risk. If you do not need
  this feature, you should disable it.
${l}`;
                            console.warn("%cElectron Security Warning (experimentalFeatures)", "font-weight: bold;", t)
                        }(e),
                        function(e) {
                            if (!e || !Object.prototype.hasOwnProperty.call(e, "enableBlinkFeatures") || e.enableBlinkFeatures && 0 === e.enableBlinkFeatures.length)
                                return;
                            const t = `This renderer process has additional "enableBlinkFeatures"
  enabled. This exposes users of this app to some security risk. If you do not
  need this feature, you should disable it.
${l}`;
                            console.warn("%cElectron Security Warning (enableBlinkFeatures)", "font-weight: bold;", t)
                        }(e),
                        warnAboutInsecureCSP(),
                        function() {
                            if (document && document.querySelectorAll) {
                                const e = document.querySelectorAll("[allowpopups]");
                                if (!e || 0 === e.length)
                                    return;
                                const t = `A <webview> has "allowpopups" set to true. This exposes
    users of this app to some security risk, since popups are just
    BrowserWindows. If you do not need this feature, you should disable it.

    ${l}`;
                                console.warn("%cElectron Security Warning (allowpopups)", "font-weight: bold;", t)
                            }
                        }(),
                        function(e) {
                            if (!e || isLocalhost())
                                return;
                            if ((null == e.enableRemoteModule || !!e.enableRemoteModule) && getIsRemoteProtocol()) {
                                const e = `This renderer process has "enableRemoteModule" enabled
    and attempted to load remote content from '${window.location}'. This
    exposes users of this app to unnecessary security risks.
${l}`;
                                console.warn("%cElectron Security Warning (enableRemoteModule)", "font-weight: bold;", e)
                            }
                        }(e)
                    };
                    t.securityWarnings = function securityWarnings(e) {
                        window.addEventListener("load", (async function() {
                            if (function() {
                                if (null !== o)
                                    return o;
                                switch (s) {
                                case "darwin":
                                    o = a.endsWith("MacOS/Electron") || a.includes("Electron.app/Contents/Frameworks/");
                                    break;
                                case "freebsd":
                                case "linux":
                                    o = a.endsWith("/electron");
                                    break;
                                case "win32":
                                    o = a.endsWith("\electron.exe");
                                    break;
                                default:
                                    o = !1
                                }
                                return (c && c.ELECTRON_DISABLE_SECURITY_WARNINGS || window && window.ELECTRON_DISABLE_SECURITY_WARNINGS) && (o = !1),
                                (c && c.ELECTRON_ENABLE_SECURITY_WARNINGS || window && window.ELECTRON_ENABLE_SECURITY_WARNINGS) && (o = !0),
                                o
                            }()) {
                                const t = await async function() {
                                    try {
                                        return i.ipcRendererInternal.invoke("ELECTRON_BROWSER_GET_LAST_WEB_PREFERENCES")
                                    } catch (e) {
                                        console.warn(`getLastWebPreferences() failed: ${e}`)
                                    }
                                }();
                                logSecurityWarnings(t, e)
                            }
                        }
                        ), {
                            once: !0
                        })
                    }
                }
                ).call(this, r(/*! @electron/internal/renderer/webpack-provider */
                "./lib/renderer/webpack-provider.ts").process)
            },

refs



©xgqfrms 2012-2020

www.cnblogs.com 发布文章使用:只允许注册用户才可以访问!


原文地址:https://www.cnblogs.com/xgqfrms/p/13983683.html