diff --git a/docs/tutorial/security.md b/docs/tutorial/security.md index 0e2ce625da191..b8fbbd9e40755 100644 --- a/docs/tutorial/security.md +++ b/docs/tutorial/security.md @@ -75,14 +75,13 @@ improve the security of your application. 4. [Use `ses.setPermissionRequestHandler()` in all sessions that load remote content](#4-handle-session-permission-requests-from-remote-content) 5. [Do not disable `webSecurity`](#5-do-not-disable-websecurity) 6. [Define a `Content-Security-Policy`](#6-define-a-content-security-policy) and use restrictive rules (i.e. `script-src 'self'`) -7. [Override and disable `eval`](#7-override-and-disable-eval), which allows strings to be executed as code. -8. [Do not set `allowRunningInsecureContent` to `true`](#8-do-not-set-allowrunninginsecurecontent-to-true) -9. [Do not enable experimental features](#9-do-not-enable-experimental-features) -10. [Do not use `enableBlinkFeatures`](#10-do-not-use-enableblinkfeatures) -11. [``: Do not use `allowpopups`](#11-do-not-use-allowpopups) -12. [``: Verify options and params](#12-verify-webview-options-before-creation) -13. [Disable or limit navigation](#13-disable-or-limit-navigation) -14. [Disable or limit creation of new windows](#14-disable-or-limit-creation-of-new-windows) +7. [Do not set `allowRunningInsecureContent` to `true`](#7-do-not-set-allowrunninginsecurecontent-to-true) +8. [Do not enable experimental features](#8-do-not-enable-experimental-features) +9. [Do not use `enableBlinkFeatures`](#9-do-not-use-enableblinkfeatures) +10. [``: Do not use `allowpopups`](#10-do-not-use-allowpopups) +11. [``: Verify options and params](#11-verify-webview-options-before-creation) +12. [Disable or limit navigation](#12-disable-or-limit-navigation) +13. [Disable or limit creation of new windows](#13-disable-or-limit-creation-of-new-windows) ## 1) Only Load Secure Content @@ -385,34 +384,7 @@ to set a policy on a page directly in the markup using a `` tag: #### `webRequest.onHeadersReceived([filter, ]listener)` -## 7) Override and Disable `eval` - -`eval()` is a core JavaScript method that allows the execution of JavaScript -from a string. Disabling it disables your app's ability to evaluate JavaScript -that is not known in advance. - -### Why? - -The `eval()` method has precisely one mission: To evaluate a series of -characters as JavaScript and execute it. It is a required method whenever you -need to evaluate code that is not known ahead of time. While legitimate use -cases exist, like any other code generators, `eval()` is difficult to harden. - -Generally speaking, it is easier to completely disable `eval()` than to make -it bulletproof. Thus, if you do not need it, it is a good idea to disable it. - -### How? - -```js -// ESLint will warn about any use of eval(), even this one -// eslint-disable-next-line -window.eval = global.eval = function () { - throw new Error(`Sorry, this app does not support window.eval().`) -} -``` - - -## 8) Do Not Set `allowRunningInsecureContent` to `true` +## 7) Do Not Set `allowRunningInsecureContent` to `true` _Recommendation is Electron's default_ @@ -446,7 +418,7 @@ const mainWindow = new BrowserWindow({}) ``` -## 9) Do Not Enable Experimental Features +## 8) Do Not Enable Experimental Features _Recommendation is Electron's default_ @@ -479,7 +451,7 @@ const mainWindow = new BrowserWindow({}) ``` -## 10) Do Not Use `enableBlinkFeatures` +## 9) Do Not Use `enableBlinkFeatures` _Recommendation is Electron's default_ @@ -511,7 +483,7 @@ const mainWindow = new BrowserWindow() ``` -## 11) Do Not Use `allowpopups` +## 10) Do Not Use `allowpopups` _Recommendation is Electron's default_ @@ -539,7 +511,7 @@ you know it needs that feature. ``` -## 12) Verify WebView Options Before Creation +## 11) Verify WebView Options Before Creation A WebView created in a renderer process that does not have Node.js integration enabled will not be able to enable integration itself. However, a WebView will @@ -586,7 +558,7 @@ app.on('web-contents-created', (event, contents) => { Again, this list merely minimizes the risk, it does not remove it. If your goal is to display a website, a browser will be a more secure option. -## 13) Disable or limit navigation +## 12) Disable or limit navigation If your app has no need to navigate or only needs to navigate to known pages, it is a good idea to limit navigation outright to that known scope, disallowing @@ -630,7 +602,7 @@ app.on('web-contents-created', (event, contents) => { }) ``` -## 14) Disable or limit creation of new windows +## 13) Disable or limit creation of new windows If you have a known set of windows, it's a good idea to limit the creation of additional windows in your app.