electron / electron

:electron: Build cross-platform desktop apps with JavaScript, HTML, and CSS

Home Page:https://electronjs.org

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

[Feature Request]: Better <webview> DX Security - Pit of success

MentalGear opened this issue · comments

Preflight Checklist

Problem Description

The doc describes how a remote content can add a new render instance by simply adding <webview> and even is allowed to set its options, like nodeIntegration - which is a serious security issue. To prevent this, a proposed code example is provided but it's not prevented by default.

However, a WebView will always create an independent renderer process with its own webPreferences.

Src: https://www.electronjs.org/docs/latest/tutorial/security#12-verify-webview-options-before-creation

Proposed Solution

A better approach than counting on devs to add this code snippet themselves would be to have smart defaults for a pit of success.

I propose the global vars:

  • webviewCanCreateWebview [false] - check if a webview can be created from within another webview
  • instanceCanCreateWebview [false] : check if render instances can create <webview> on the fly

Also a default setting that doesn't allow child <webview> to have more permissions than their parent would be advisable.

Alternatives Considered

  • counting on devs to implement check manually each time (pit of failure)

Additional Information

No response

even is allowed to set its options, like nodeIntegration - which is a serious security issue

The first sentence of the docs you've linked explicitly states (emphasis mine):

A WebView created in a renderer process that does not have Node.js integration enabled will not be able to enable integration itself.

In addition the webPreferences.webviewTag options defaults to false already.

But maybe I'm misunderstanding what you are proposing, I'm just trying to make my own app secure and just double checked that webview is disabled by default, so I don't need will-attach-webview to prevent them.

Could you post a Fiddle that demonstrates what you want to prevent by default? Especially the part about a malicious webview creating a child with more permissions. It'd be scary if that's possible, but like I said webview is disabled by default and not recommended anyway. The webview docs start with:

We currently recommend to not use the webview tag

Hi @Prinzhorn
Just wanted to clarify that the docs I pointed to are the security guide:

A WebView created in a renderer process that does not have Node.js integration enabled will not be able to enable integration itself. **However**, a WebView will always create an independent renderer process with its own webPreferences.

But I didn't know <browserwindow> was recommended over <webview>, which can't be used by default. I just started out with the electron docs and the security docs didn't mention to use one over the other.