Web Security JS Check | ToDesktop Static Analysis Documentation

Web Security JS Check - Do not use `disablewebsecurity`

This flag gives access to the underlying disablewebsecurity Chromium option. When this attribute is present, the guest page will have web security disabled. For instance, the Same-Origin Policy (SOP) will not be enforced.

Please note that the Same-Origin Policy is not strictly enforced by the current implementation of Electron, due to a design flaw. As a result, this option is practically irrelevant at the moment.

Risk

When enabled, SOP is not enforced and mixed content is allowed (e.g., HTTPS page using JavaScript, CSS from HTTP origins).

Auditing

Check the webPreferences object passed to BrowserWindow, and look for webSecurity false:

        mainWindow = new BrowserWindow({
  webPreferences: {
    webSecurity: false
  }
});

Additionally, search for the runtime flag —disable-web-security in the package.json, and within the application codebase.

References

https://www.electronjs.org/docs/latest/tutorial/security#6-do-not-disable-websecurity

# Web Security JS Check - Do not use `disablewebsecurity`

#Risk

#Auditing

#References

Web Security JS Check - Do not use `disablewebsecurity`

Risk

Auditing

References