How to prevent Electron Security Warning (Insecure Content-Security-Policy) #19775
Comments
|
Right now I can only think of two things: the warning is shown all the time no matter your application code, which I hope is not the case, because that doesn't seem like a right way to go about shedding light on a security checklist or the warning is shown because a |
|
You can add this inside your HTML
i.e. make it <!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8" />
<meta http-equiv="Content-Security-Policy" content="script-src 'self';">
<script src="index.js"></script>
</head>
<body></body>
</html>You'll need to add a more detailed policy as you use more resources, of course. I don't know how much you know about CSP, you may or may not find this useful: https://content-security-policy.com/ |
|
Thank you! I found that this is actually included in the security checklist and I just missed it: |
…rity checklist (#19819) I've asked #19775 because I was frustrated with how hard it was to find a way to fix (instead of hide) the CSP warning in Electron and I complained that even the official quick start guide wasn't compliant with the security checklist at https://electronjs.org/docs/tutorial/security. Someone helped me out with a CSP meta tag which I have later noticed is indeed mentioned in the checklist, too: https://electronjs.org/docs/tutorial/security#csp-meta-tag. I have not used the checklist one verbatim because it prevents a `script` tag from working when serving `index.html` through the `file:` protocol as the quick start does. I instead used the one the person in my issue recommended which seems to work well to me. I am not that well versed in CSP so there might be a better policy to include with the quick start, but this is what I've got for now.
Install ng-bootstrap https://ng-bootstrap.github.io/#/getting-started Remove warning with this. electron/electron#19775
…developer tools". See this comment: <electron/electron#19775 (comment)>
|
No description provided. |
|
|
This is the best answer:Thanks @TomasHubelbauer this is the best ! |
|
Solution: protocol.registerSchemesAsPrivileged([
{ scheme: 'http', privileges: { standard: true, bypassCSP: true, allowServiceWorkers: true, supportFetchAPI: true, corsEnabled: true, stream: true } },
{ scheme: 'https', privileges: { standard: true, bypassCSP: true, allowServiceWorkers: true, supportFetchAPI: true, corsEnabled: true, stream: true } },
{ scheme: 'mailto', privileges: { standard: true } },
]); |
|
I resolve this problem by import to index.css |
|
No description provided. |
|
The best solution is to use env settting, only when developing. |
I have a question about CSP in Electron 6 which has already been asked on Stack Overflow here:
https://stackoverflow.com/q/48854265/2715716
However, the question was not answered (there are only recommendations on how to disable the warning, not how to actually prevent the warning from showing).
There is a security checklist for Electron available at https://electronjs.org/docs/tutorial/security, which is very helpful. However, even in the simplest case, I still run afoul of these warnings even when following the most basic simplest Electron tutorial! https://electronjs.org/docs/tutorial/first-app
I don't believe that such a basic issue has been undiscovered for all this time and I'm the first person just coming across this, but alas I have not been able to find a solution.
My repro is simple, it consists of only 4 files:
package.json:{ "main": "main.js", "scripts": { "start": "electron ." }, "devDependencies": { "electron": "^6.0.2" } }main.js:index.html:index.js:This is how far I got with Electron before I ran into my first roadblock. Now how does one go about fixing up this code to avoid the warning?
From what I read,
nodeIntegrationhas beenfalseby default since version 5.Hiding these warnings using
process.env['ELECTRON_DISABLE_SECURITY_WARNINGS'] = 'true';is not a fix, it's hiding the warning.I cannot attach CSP headers to the
index.htmlfile because it is loaded from the disk, not from the network.Ignoring this warning because it is not present when the app is packaged is not a solution either, because it equals to hiding the warning (by ignoring it) instead of fixing it.
In #12035 @MarshallOfSound says to follow the security checklist and the warning will go away. What am I running afoul of in the security checklist in the above repro that they don't go away for me?
What is there left to do to get this warning to go away?
It would be awesome to have an answer for this in the Stack Overflow question as that's where Google takes you on your quest to find out.
The text was updated successfully, but these errors were encountered: