Insecure web security preferences found in Electron JS-S1015

Setting webSecurity property to false, or allowRunningInsecureContent to true in an Electron renderer process like BrowserWindow or BrowserView disables crucial security features. By default, the webSecurity property is always true and the allowRunningInsecureContent property is always false.

Disabling webSecurity will disable the same-origin policy, and set allowRunningInsecureContent to true. This can lead to execution of insecure code from different domains.

Electron has a security feature that prevents websites loaded over HTTPS from running scripts, CSS, or plugins from insecure (HTTP) sources. However, this protection can be disabled by setting the property allowRunningInsecureContent to true. Loading content over HTTPS provides authenticity and integrity of resources as well as encryption of the traffic.

Bad Practice

const { BrowserWindow } = require('electron')
const mainWindow = new BrowserWindow({
  webPreferences: {
    webSecurity: false, // `webSecurity` should not be set to false
    allowRunningInsecureContent: true // `allowRunningInsecureContent` should not be set to true
  }
})

Recommended

const { BrowserWindow } = require('electron')
const mainWindow = new BrowserWindow({
  // alternatively: Do not set these properties in the preferences object, as they're configured correctly by default.
  webPreferences: {
    webSecurity: true,
    allowRunningInsecureContent: false
  }
})

References

• OWASP A03:2021 - Injection
• CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')