zoukankan      html  css  js  c++  java
  • xgqfrms™, xgqfrms® : xgqfrms's offical website of GitHub!

    Electron Security All In One

    https://www.electronjs.org/docs/tutorial/security

    CSP

    Content-Security-Policy

    
    Electron Security Warning (Insecure Content-Security-Policy) This renderer process has either no Content Security Policy set or a policy with "unsafe-eval" enabled.
    This exposes users of this app to unnecessary security risks.
    
    For more information and help, consult
    https://electronjs.org/docs/tutorial/security.
    This warning will not show up
    once the app is packaged.
    (anonymous) @ electron/js2c/renderer_init.js:111
    
    

                "./lib/renderer/security-warnings.ts": /*!*******************************************!*
      !*** ./lib/renderer/security-warnings.ts ***!
      *******************************************/
                /*! no static exports found */
                function(e, t, r) {
                    "use strict";
                    (function(e) {
                        Object.defineProperty(t, "__esModule", {
                            value: !0
                        });
                        const n = r(/*! electron */
                        "./lib/renderer/api/exports/electron.ts")
                          , i = r(/*! @electron/internal/renderer/ipc-renderer-internal */
                        "./lib/renderer/ipc-renderer-internal.ts");
                        let o = null;
                        const {platform: s, execPath: a, env: c} = e
                          , getIsRemoteProtocol = function() {
                            if (window && window.location && window.location.protocol)
                                return /^(http|ftp)s?/gi.test(window.location.protocol)
                        }
                          , isLocalhost = function() {
                            return !(!window || !window.location) && "localhost" === window.location.hostname
                        }
                          , l = "
    For more information and help, consult
    https://electronjs.org/docs/tutorial/security.
    This warning will not show up
    once the app is packaged."
                          , warnAboutInsecureCSP = function() {
                            n.webFrame._executeJavaScript(`(${(()=>{
                                try {
                                    new Function("")
                                } catch {
                                    return !1
                                }
                                return !0
                            }
                            ).toString()})()`, !1).then(e=>{
                                if (!e)
                                    return;
                                const t = `This renderer process has either no Content Security
        Policy set or a policy with "unsafe-eval" enabled. This exposes users of
        this app to unnecessary security risks.
    ${l}`;
                                console.warn("%cElectron Security Warning (Insecure Content-Security-Policy)", "font-weight: bold;", t)
                            }
                            )
                        }
                          , logSecurityWarnings = function(e, t) {
                            !function(e) {
                                if (e && !isLocalhost() && getIsRemoteProtocol()) {
                                    const e = `This renderer process has Node.js integration enabled
        and attempted to load remote content from '${window.location}'. This
        exposes users of this app to severe security risks.
    ${l}`;
                                    console.warn("%cElectron Security Warning (Node.js Integration with Remote Content)", "font-weight: bold;", e)
                                }
                            }(t),
                            function(e) {
                                if (!e || !1 !== e.webSecurity)
                                    return;
                                const t = `This renderer process has "webSecurity" disabled. This
      exposes users of this app to severe security risks.
    ${l}`;
                                console.warn("%cElectron Security Warning (Disabled webSecurity)", "font-weight: bold;", t)
                            }(e),
                            function() {
                                if (!window || !window.performance || !window.performance.getEntriesByType)
                                    return;
                                const e = window.performance.getEntriesByType("resource").filter(({name: e})=>/^(http|ftp):/gi.test(e || "")).filter(({name: e})=>"localhost" !== new URL(e).hostname).map(({name: e})=>`- ${e}`).join("
    ");
                                if (!e || 0 === e.length)
                                    return;
                                const t = `This renderer process loads resources using insecure
      protocols. This exposes users of this app to unnecessary security risks.
      Consider loading the following resources over HTTPS or FTPS. 
    ${e}
      
    ${l}`;
                                console.warn("%cElectron Security Warning (Insecure Resources)", "font-weight: bold;", t)
                            }(),
                            function(e) {
                                if (!e || !e.allowRunningInsecureContent)
                                    return;
                                const t = `This renderer process has "allowRunningInsecureContent"
      enabled. This exposes users of this app to severe security risks.
    
      ${l}`;
                                console.warn("%cElectron Security Warning (allowRunningInsecureContent)", "font-weight: bold;", t)
                            }(e),
                            function(e) {
                                if (!e || !e.experimentalFeatures)
                                    return;
                                const t = `This renderer process has "experimentalFeatures" enabled.
      This exposes users of this app to some security risk. If you do not need
      this feature, you should disable it.
    ${l}`;
                                console.warn("%cElectron Security Warning (experimentalFeatures)", "font-weight: bold;", t)
                            }(e),
                            function(e) {
                                if (!e || !Object.prototype.hasOwnProperty.call(e, "enableBlinkFeatures") || e.enableBlinkFeatures && 0 === e.enableBlinkFeatures.length)
                                    return;
                                const t = `This renderer process has additional "enableBlinkFeatures"
      enabled. This exposes users of this app to some security risk. If you do not
      need this feature, you should disable it.
    ${l}`;
                                console.warn("%cElectron Security Warning (enableBlinkFeatures)", "font-weight: bold;", t)
                            }(e),
                            warnAboutInsecureCSP(),
                            function() {
                                if (document && document.querySelectorAll) {
                                    const e = document.querySelectorAll("[allowpopups]");
                                    if (!e || 0 === e.length)
                                        return;
                                    const t = `A <webview> has "allowpopups" set to true. This exposes
        users of this app to some security risk, since popups are just
        BrowserWindows. If you do not need this feature, you should disable it.
    
        ${l}`;
                                    console.warn("%cElectron Security Warning (allowpopups)", "font-weight: bold;", t)
                                }
                            }(),
                            function(e) {
                                if (!e || isLocalhost())
                                    return;
                                if ((null == e.enableRemoteModule || !!e.enableRemoteModule) && getIsRemoteProtocol()) {
                                    const e = `This renderer process has "enableRemoteModule" enabled
        and attempted to load remote content from '${window.location}'. This
        exposes users of this app to unnecessary security risks.
    ${l}`;
                                    console.warn("%cElectron Security Warning (enableRemoteModule)", "font-weight: bold;", e)
                                }
                            }(e)
                        };
                        t.securityWarnings = function securityWarnings(e) {
                            window.addEventListener("load", (async function() {
                                if (function() {
                                    if (null !== o)
                                        return o;
                                    switch (s) {
                                    case "darwin":
                                        o = a.endsWith("MacOS/Electron") || a.includes("Electron.app/Contents/Frameworks/");
                                        break;
                                    case "freebsd":
                                    case "linux":
                                        o = a.endsWith("/electron");
                                        break;
                                    case "win32":
                                        o = a.endsWith("\electron.exe");
                                        break;
                                    default:
                                        o = !1
                                    }
                                    return (c && c.ELECTRON_DISABLE_SECURITY_WARNINGS || window && window.ELECTRON_DISABLE_SECURITY_WARNINGS) && (o = !1),
                                    (c && c.ELECTRON_ENABLE_SECURITY_WARNINGS || window && window.ELECTRON_ENABLE_SECURITY_WARNINGS) && (o = !0),
                                    o
                                }()) {
                                    const t = await async function() {
                                        try {
                                            return i.ipcRendererInternal.invoke("ELECTRON_BROWSER_GET_LAST_WEB_PREFERENCES")
                                        } catch (e) {
                                            console.warn(`getLastWebPreferences() failed: ${e}`)
                                        }
                                    }();
                                    logSecurityWarnings(t, e)
                                }
                            }
                            ), {
                                once: !0
                            })
                        }
                    }
                    ).call(this, r(/*! @electron/internal/renderer/webpack-provider */
                    "./lib/renderer/webpack-provider.ts").process)
                },
    
    

    refs



    ©xgqfrms 2012-2020

    www.cnblogs.com 发布文章使用:只允许注册用户才可以访问!


  • 相关阅读:
    Mysql搭建主从
    爬虫--使用scrapy爬取糗事百科并在txt文件中持久化存储
    爬虫-windows下安装Scrapy及scrapy模块介绍
    爬虫-爬虫介绍及Scrapy简介
    委托的实现过程
    Django学习之模拟架构页面跳转
    Django学习之mysql结果显示
    Django学习之mysql增删改查
    Django学习之mysql应用基础
    HTTP学习之URL与资源
  • 原文地址:https://www.cnblogs.com/xgqfrms/p/13983683.html
Copyright © 2011-2022 走看看