Nightmare Security Checklist
matthewmueller opened this issue · 3 comments
This checklist explains what nightmare has implemented from the electron security guidelines and why.
⛔️ Only load secure content
We can't do this because some websites you'll want to visit with nightmare are insecure (e.g. http)
✅ Disable the Node.js integration in all renderers that display remote content
This has been disabled to prevent any website executing node.js code on your computer.
⛔️ Enable context isolation in all renderers that display remote content
We don't do this yet, but we're very careful which data can be sent through the IPC.
We should be able to enable this once we refactor .evaluate(src) to use promises. More info here: #1387
⛔️ Use ses.setPermissionRequestHandler() in all sessions that load remote content
We don't use a default permission request handler, but it would be easy to create one with custom actions.
The concern here is that a potentially malicious website could ask for your location (or one of the other permissions), and electron automatically accepts the permissions by default
✅ Do not disable webSecurity
We don't disable web security
⛔️ Define a Content-Security-Policy and use restrictive rules (i.e. script-src 'self')
Unfortunately, this would cause some websites to stop working.
⛔️ Override and disable eval, which allows strings to be executed as code.
Unfortunately, this would cause some websites to stop working.
✅ Do not set allowRunningInsecureContent to true
We don't allow running insecure content
✅ Do not enable experimental features
We don't enable experimental features
✅ Do not use blinkFeatures
We don't use blink features
✅ WebViews: Do not use allowpopups
We don't use webviews.
✅ WebViews: Verify the options and params of all tags
We don't use webviews.
✅ Do not enable experimental features
We don't disable experimental features
Hopefully one of these words is backwards?
@glyph good catch! updated
Thanks!