File tree Expand file tree Collapse file tree 1 file changed +37
-0
lines changed
Expand file tree Collapse file tree 1 file changed +37
-0
lines changed Original file line number Diff line number Diff line change @@ -358,6 +358,43 @@ const mainWindow = new BrowserWindow()
358358```
359359
360360
361+ ## Do Not Disable WebSecurity
362+
363+ You may have already guessed that disabling the ` webSecurity ` property on a
364+ renderer process (` BrowserView ` , ` BrowserWindow ` , ` WebView ` ) disables crucial
365+ security features.
366+
367+ Legitimate use cases for this property exist in testing cases, but generally
368+ speaking, ` webSecurity ` should never be disabled in any production application.
369+
370+ ### Why?
371+
372+ Disabling ` webSecurity ` will disable the same-origin policy as well as
373+ implicitly setting the ` allowRunningInsecureContent ` property to ` true ` . In
374+ other words, it allows the execution of insecure code from different domains.
375+
376+ ### How?
377+ ``` js
378+ // Bad
379+ const mainWindow = new BrowserWindow ({
380+ webPreferences: {
381+ webSecurity: false
382+ }
383+ })
384+
385+ // Good
386+ const mainWindow = new BrowserWindow ()
387+ ```
388+
389+ ``` html
390+ <!-- Bad -->
391+ <webview disablewebsecurity src =" page.html" webview >
392+
393+ <!-- Good -->
394+ <webview src =" page.html" webview >
395+ ```
396+
397+
361398## Verify WebView Options Before Creation
362399A WebView created in a renderer process that does not have Node.js integration
363400enabled will not be able to enable integration itself. However, a WebView will
You can’t perform that action at this time.
0 commit comments