Skip to content

Commit

Permalink
docs: remove unsafe eval section of security tutorial (#15675)
Browse files Browse the repository at this point in the history 
* docs: remove unsafe eval section of security tutorial

* lintfix
  • Loading branch information
@codebytere
codebytere committed Nov 12, 2018
1 parent a54dd10 commit c9d0960
Showing 1 changed file with 14 additions and 42 deletions.
56 changes: 14 additions & 42 deletions docs/tutorial/security.md
View file
Expand Up @@ -75,14 +75,13 @@ improve the security of your application.
4. [Use `ses.setPermissionRequestHandler()` in all sessions that load remote content](#4-handle-session-permission-requests-from-remote-content)
5. [Do not disable `webSecurity`](#5-do-not-disable-websecurity)
6. [Define a `Content-Security-Policy`](#6-define-a-content-security-policy) and use restrictive rules (i.e. `script-src 'self'`)
7. [Override and disable `eval`](#7-override-and-disable-eval), which allows strings to be executed as code.
8. [Do not set `allowRunningInsecureContent` to `true`](#8-do-not-set-allowrunninginsecurecontent-to-true)
9. [Do not enable experimental features](#9-do-not-enable-experimental-features)
10. [Do not use `enableBlinkFeatures`](#10-do-not-use-enableblinkfeatures)
11. [`<webview>`: Do not use `allowpopups`](#11-do-not-use-allowpopups)
12. [`<webview>`: Verify options and params](#12-verify-webview-options-before-creation)
13. [Disable or limit navigation](#13-disable-or-limit-navigation)
14. [Disable or limit creation of new windows](#14-disable-or-limit-creation-of-new-windows)
7. [Do not set `allowRunningInsecureContent` to `true`](#7-do-not-set-allowrunninginsecurecontent-to-true)
8. [Do not enable experimental features](#8-do-not-enable-experimental-features)
9. [Do not use `enableBlinkFeatures`](#9-do-not-use-enableblinkfeatures)
10. [`<webview>`: Do not use `allowpopups`](#10-do-not-use-allowpopups)
11. [`<webview>`: Verify options and params](#11-verify-webview-options-before-creation)
12. [Disable or limit navigation](#12-disable-or-limit-navigation)
13. [Disable or limit creation of new windows](#13-disable-or-limit-creation-of-new-windows)

## 1) Only Load Secure Content

Expand Down Expand Up @@ -385,34 +384,7 @@ to set a policy on a page directly in the markup using a `<meta>` tag:
#### `webRequest.onHeadersReceived([filter, ]listener)`


## 7) Override and Disable `eval`

`eval()` is a core JavaScript method that allows the execution of JavaScript
from a string. Disabling it disables your app's ability to evaluate JavaScript
that is not known in advance.

### Why?

The `eval()` method has precisely one mission: To evaluate a series of
characters as JavaScript and execute it. It is a required method whenever you
need to evaluate code that is not known ahead of time. While legitimate use
cases exist, like any other code generators, `eval()` is difficult to harden.

Generally speaking, it is easier to completely disable `eval()` than to make
it bulletproof. Thus, if you do not need it, it is a good idea to disable it.

### How?

```js
// ESLint will warn about any use of eval(), even this one
// eslint-disable-next-line
window.eval = global.eval = function () {
throw new Error(`Sorry, this app does not support window.eval().`)
}
```


## 8) Do Not Set `allowRunningInsecureContent` to `true`
## 7) Do Not Set `allowRunningInsecureContent` to `true`

_Recommendation is Electron's default_

Expand Down Expand Up @@ -446,7 +418,7 @@ const mainWindow = new BrowserWindow({})
```


## 9) Do Not Enable Experimental Features
## 8) Do Not Enable Experimental Features

_Recommendation is Electron's default_

Expand Down Expand Up @@ -479,7 +451,7 @@ const mainWindow = new BrowserWindow({})
```


## 10) Do Not Use `enableBlinkFeatures`
## 9) Do Not Use `enableBlinkFeatures`

_Recommendation is Electron's default_

Expand Down Expand Up @@ -511,7 +483,7 @@ const mainWindow = new BrowserWindow()
```


## 11) Do Not Use `allowpopups`
## 10) Do Not Use `allowpopups`

_Recommendation is Electron's default_

Expand Down Expand Up @@ -539,7 +511,7 @@ you know it needs that feature.
```


## 12) Verify WebView Options Before Creation
## 11) Verify WebView Options Before Creation

A WebView created in a renderer process that does not have Node.js integration
enabled will not be able to enable integration itself. However, a WebView will
Expand Down Expand Up @@ -586,7 +558,7 @@ app.on('web-contents-created', (event, contents) => {
Again, this list merely minimizes the risk, it does not remove it. If your goal
is to display a website, a browser will be a more secure option.

## 13) Disable or limit navigation
## 12) Disable or limit navigation

If your app has no need to navigate or only needs to navigate to known pages,
it is a good idea to limit navigation outright to that known scope, disallowing
Expand Down Expand Up @@ -630,7 +602,7 @@ app.on('web-contents-created', (event, contents) => {
})
```

## 14) Disable or limit creation of new windows
## 13) Disable or limit creation of new windows

If you have a known set of windows, it's a good idea to limit the creation of
additional windows in your app.
Expand Down

0 comments on commit c9d0960

Please sign in to comment.