Skip to content

Commit

Permalink
Merge pull request #24 from acrosman/feature/security_tweaks_20210511
Browse files Browse the repository at this point in the history
disables auxclick adds setPermissionRequestHandler
  • Loading branch information
acrosman authored May 12, 2021
2 parents 79cafc8 + 0679b45 commit 993de86
Showing 1 changed file with 11 additions and 0 deletions.
11 changes: 11 additions & 0 deletions main.js
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,7 @@ const {
app,
BrowserWindow,
ipcMain,
session,
} = electron;

// Developer Dependencies.
Expand Down Expand Up @@ -39,6 +40,7 @@ function createWindow() {
nodeIntegration: false, // Disable nodeIntegration for security.
nodeIntegrationInWorker: false,
nodeIntegrationInSubFrames: false,
disableBlinkFeatures: 'Auxclick', // See: https://github.com/doyensec/electronegativity/wiki/AUXCLICK_JS_CHECK
contextIsolation: true, // Enabling contextIsolation to protect against prototype pollution.
worldSafeExecuteJavaScript: true, // https://github.com/electron/electron/pull/24712
enableRemoteModule: false, // Turn off remote to avoid temptation.
Expand All @@ -59,6 +61,15 @@ function createWindow() {
// when you should delete the corresponding element.
mainWindow = null;
});

// Lock down session permissions.
// https://www.electronjs.org/docs/tutorial/security#4-handle-session-permission-requests-from-remote-content
// https://github.com/doyensec/electronegativity/wiki/PERMISSION_REQUEST_HANDLER_GLOBAL_CHECK
session
.fromPartition('secured-partition')
.setPermissionRequestHandler((webContents, permission, callback) => {
callback(false);
});
}

// This method will be called when Electron has finished
Expand Down

0 comments on commit 993de86

Please sign in to comment.