# Auxclick HTML Check - Limit navigation flows loading of untrusted origins

The creation of a new browser window or the navigation to untrusted origins may lead to severe vulnerabilities. Additionally, middle-click causes Electron to open a link within a new window. Under certain circumstances, this can be leveraged to execute arbitrary JavaScript in the context of a new window.

#Risk

Navigation to untrusted origins can facilitate attacks, thus it is recommend to limit the ability of a BrowserWindow or webview guest page to initiate new navigation flows. Middle-click events can be leveraged to subvert the flow of the application.

#Auditing

Creation of a new window or the navigation to a specific origin can be inspected and validated using callbacks for the new-window and willnavigate events. Your application can limit the navigation flows by implementing something like:

        win.webContents.on('will-navigate', (event, newURL) => {
  if (win.webContents.getURL() !== 'https://doyensec.com') {
    event.preventDefault();
  }
});

      

However, libchromiumcontent will trigger middle-click events as auxclick instead of click.

If you use webview, your application has to explicitly disable this insecure behavior using something like:

        <webview src="https://www.github.com/" disableblinkfeatures="Auxclick"></webview>


      

#References

• https://github.com/electron/electron/issues/10315