Pchen0/electron

:memo: Add to security checklist about permission requests

If the handler is not set, remote content can access to user's
information without allowing the permission. e.g. UserMedia
[ci skip]

Yuya Ochiai 8 years ago

parent

a7a3aa848e

commit

11f2574fda

1 changed files with 1 additions and 0 deletions

Split View Show Diff Stats

						
							+ 1
							
							- 0
						
docs/tutorial/security.md
							 
								View File
							
				@@ -58,6 +58,7 @@ This is not bulletproof, but at the least, you should attempt the following:
			
				   (setting `nodeIntegration` to `false` in `webPreferences`)
			
				 * Enable context isolation in all renderers that display remote content
			
				   (setting `contextIsolation` to `true` in `webPreferences`)
			
				+* Use `ses.setPermissionRequestHandler()` in all sessions that load remote content
			
				 * Do not disable `webSecurity`. Disabling it will disable the same-origin policy.
			
				 * Define a [`Content-Security-Policy`](http://www.html5rocks.com/en/tutorials/security/content-security-policy/)
			
				 , and use restrictive rules (i.e. `script-src 'self'`)

:memo: Add to security checklist about permission requests

+ 1 - 0 docs/tutorial/security.md View File

+ 1 - 0
docs/tutorial/security.md
View File