Home Explore 引导页 在线工具 Blog
Register Sign In
Pchen0
/
electron
1
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Browse Source

docs: security.md: Fix navigation lockdown example code (#14185)

The `url` module is not a constructor; change `require('url')` to
`require('url').URL`. Also, check the entire origin rather than just
the hostname, since otherwise `http://my-own-server.com` is allowed in
addition to `https://my-own-server.com`, in violation of point 1 (only
load secure content).

Signed-off-by: Anders Kaseorg <[email protected]>
Anders Kaseorg 6 years ago
parent
dbee03d381
commit
466fe816d5
1 changed files with 2 additions and 2 deletions
Split View Show Diff Stats
  1. 2 2
      docs/tutorial/security.md

+ 2 - 2
docs/tutorial/security.md
View File 

@@ -612,13 +612,13 @@ sometimes be fooled - a `startsWith('https://google.com')` test would let
 
 `https://google.com.attacker.com` through.
 
 
 ```js
 
-const URL = require('url')
 
+const URL = require('url').URL
 
 
 app.on('web-contents-created', (event, contents) => {
 
   contents.on('will-navigate', (event, navigationUrl) => {
 
     const parsedUrl = new URL(navigationUrl)
 
 
-    if (parsedUrl.hostname !== 'my-own-server.com') {
 
+    if (parsedUrl.origin !== 'https://my-own-server.com') {
 
       event.preventDefault()
 
     }
 
   })