zoukankan      html  css  js  c++  java
  • xgqfrms™, xgqfrms® : xgqfrms's offical website of GitHub!

    Electron Security All In One

    https://www.electronjs.org/docs/tutorial/security

    CSP

    Content-Security-Policy

    
    Electron Security Warning (Insecure Content-Security-Policy) This renderer process has either no Content Security Policy set or a policy with "unsafe-eval" enabled.
    This exposes users of this app to unnecessary security risks.
    
    For more information and help, consult
    https://electronjs.org/docs/tutorial/security.
    This warning will not show up
    once the app is packaged.
    (anonymous) @ electron/js2c/renderer_init.js:111
    
    

                "./lib/renderer/security-warnings.ts": /*!*******************************************!*
      !*** ./lib/renderer/security-warnings.ts ***!
      *******************************************/
                /*! no static exports found */
                function(e, t, r) {
                    "use strict";
                    (function(e) {
                        Object.defineProperty(t, "__esModule", {
                            value: !0
                        });
                        const n = r(/*! electron */
                        "./lib/renderer/api/exports/electron.ts")
                          , i = r(/*! @electron/internal/renderer/ipc-renderer-internal */
                        "./lib/renderer/ipc-renderer-internal.ts");
                        let o = null;
                        const {platform: s, execPath: a, env: c} = e
                          , getIsRemoteProtocol = function() {
                            if (window && window.location && window.location.protocol)
                                return /^(http|ftp)s?/gi.test(window.location.protocol)
                        }
                          , isLocalhost = function() {
                            return !(!window || !window.location) && "localhost" === window.location.hostname
                        }
                          , l = "
    For more information and help, consult
    https://electronjs.org/docs/tutorial/security.
    This warning will not show up
    once the app is packaged."
                          , warnAboutInsecureCSP = function() {
                            n.webFrame._executeJavaScript(`(${(()=>{
                                try {
                                    new Function("")
                                } catch {
                                    return !1
                                }
                                return !0
                            }
                            ).toString()})()`, !1).then(e=>{
                                if (!e)
                                    return;
                                const t = `This renderer process has either no Content Security
        Policy set or a policy with "unsafe-eval" enabled. This exposes users of
        this app to unnecessary security risks.
    ${l}`;
                                console.warn("%cElectron Security Warning (Insecure Content-Security-Policy)", "font-weight: bold;", t)
                            }
                            )
                        }
                          , logSecurityWarnings = function(e, t) {
                            !function(e) {
                                if (e && !isLocalhost() && getIsRemoteProtocol()) {
                                    const e = `This renderer process has Node.js integration enabled
        and attempted to load remote content from '${window.location}'. This
        exposes users of this app to severe security risks.
    ${l}`;
                                    console.warn("%cElectron Security Warning (Node.js Integration with Remote Content)", "font-weight: bold;", e)
                                }
                            }(t),
                            function(e) {
                                if (!e || !1 !== e.webSecurity)
                                    return;
                                const t = `This renderer process has "webSecurity" disabled. This
      exposes users of this app to severe security risks.
    ${l}`;
                                console.warn("%cElectron Security Warning (Disabled webSecurity)", "font-weight: bold;", t)
                            }(e),
                            function() {
                                if (!window || !window.performance || !window.performance.getEntriesByType)
                                    return;
                                const e = window.performance.getEntriesByType("resource").filter(({name: e})=>/^(http|ftp):/gi.test(e || "")).filter(({name: e})=>"localhost" !== new URL(e).hostname).map(({name: e})=>`- ${e}`).join("
    ");
                                if (!e || 0 === e.length)
                                    return;
                                const t = `This renderer process loads resources using insecure
      protocols. This exposes users of this app to unnecessary security risks.
      Consider loading the following resources over HTTPS or FTPS. 
    ${e}
      
    ${l}`;
                                console.warn("%cElectron Security Warning (Insecure Resources)", "font-weight: bold;", t)
                            }(),
                            function(e) {
                                if (!e || !e.allowRunningInsecureContent)
                                    return;
                                const t = `This renderer process has "allowRunningInsecureContent"
      enabled. This exposes users of this app to severe security risks.
    
      ${l}`;
                                console.warn("%cElectron Security Warning (allowRunningInsecureContent)", "font-weight: bold;", t)
                            }(e),
                            function(e) {
                                if (!e || !e.experimentalFeatures)
                                    return;
                                const t = `This renderer process has "experimentalFeatures" enabled.
      This exposes users of this app to some security risk. If you do not need
      this feature, you should disable it.
    ${l}`;
                                console.warn("%cElectron Security Warning (experimentalFeatures)", "font-weight: bold;", t)
                            }(e),
                            function(e) {
                                if (!e || !Object.prototype.hasOwnProperty.call(e, "enableBlinkFeatures") || e.enableBlinkFeatures && 0 === e.enableBlinkFeatures.length)
                                    return;
                                const t = `This renderer process has additional "enableBlinkFeatures"
      enabled. This exposes users of this app to some security risk. If you do not
      need this feature, you should disable it.
    ${l}`;
                                console.warn("%cElectron Security Warning (enableBlinkFeatures)", "font-weight: bold;", t)
                            }(e),
                            warnAboutInsecureCSP(),
                            function() {
                                if (document && document.querySelectorAll) {
                                    const e = document.querySelectorAll("[allowpopups]");
                                    if (!e || 0 === e.length)
                                        return;
                                    const t = `A <webview> has "allowpopups" set to true. This exposes
        users of this app to some security risk, since popups are just
        BrowserWindows. If you do not need this feature, you should disable it.
    
        ${l}`;
                                    console.warn("%cElectron Security Warning (allowpopups)", "font-weight: bold;", t)
                                }
                            }(),
                            function(e) {
                                if (!e || isLocalhost())
                                    return;
                                if ((null == e.enableRemoteModule || !!e.enableRemoteModule) && getIsRemoteProtocol()) {
                                    const e = `This renderer process has "enableRemoteModule" enabled
        and attempted to load remote content from '${window.location}'. This
        exposes users of this app to unnecessary security risks.
    ${l}`;
                                    console.warn("%cElectron Security Warning (enableRemoteModule)", "font-weight: bold;", e)
                                }
                            }(e)
                        };
                        t.securityWarnings = function securityWarnings(e) {
                            window.addEventListener("load", (async function() {
                                if (function() {
                                    if (null !== o)
                                        return o;
                                    switch (s) {
                                    case "darwin":
                                        o = a.endsWith("MacOS/Electron") || a.includes("Electron.app/Contents/Frameworks/");
                                        break;
                                    case "freebsd":
                                    case "linux":
                                        o = a.endsWith("/electron");
                                        break;
                                    case "win32":
                                        o = a.endsWith("\electron.exe");
                                        break;
                                    default:
                                        o = !1
                                    }
                                    return (c && c.ELECTRON_DISABLE_SECURITY_WARNINGS || window && window.ELECTRON_DISABLE_SECURITY_WARNINGS) && (o = !1),
                                    (c && c.ELECTRON_ENABLE_SECURITY_WARNINGS || window && window.ELECTRON_ENABLE_SECURITY_WARNINGS) && (o = !0),
                                    o
                                }()) {
                                    const t = await async function() {
                                        try {
                                            return i.ipcRendererInternal.invoke("ELECTRON_BROWSER_GET_LAST_WEB_PREFERENCES")
                                        } catch (e) {
                                            console.warn(`getLastWebPreferences() failed: ${e}`)
                                        }
                                    }();
                                    logSecurityWarnings(t, e)
                                }
                            }
                            ), {
                                once: !0
                            })
                        }
                    }
                    ).call(this, r(/*! @electron/internal/renderer/webpack-provider */
                    "./lib/renderer/webpack-provider.ts").process)
                },
    
    

    refs



    ©xgqfrms 2012-2020

    www.cnblogs.com 发布文章使用:只允许注册用户才可以访问!


  • 相关阅读:
    C#中WinForm程序退出方法技巧(转载)
    webbrowser访问网站禁止弹窗
    (转载)ASP.NET三大核心对象及基础功能解析
    webBrowser调用外部js文件和js函数(转载)
    java IO流
    java线程状态,优先级
    java线程
    Collection接口,Map接口
    序列化和反序列化
    JsonUtil自定义
  • 原文地址:https://www.cnblogs.com/xgqfrms/p/13983683.html
Copyright © 2011-2022 走看看