[Feature Request]: Better <webview> DX Security - Pit of success
MentalGear opened this issue · comments
Preflight Checklist
- I have read the Contributing Guidelines for this project.
- I agree to follow the Code of Conduct that this project adheres to.
- I have searched the issue tracker for a feature request that matches the one I want to file, without success.
Problem Description
The doc describes how a remote content can add a new render instance by simply adding <webview>
and even is allowed to set its options, like nodeIntegration - which is a serious security issue. To prevent this, a proposed code example is provided but it's not prevented by default.
However, a WebView will always create an independent renderer process with its own webPreferences.
Src: https://www.electronjs.org/docs/latest/tutorial/security#12-verify-webview-options-before-creation
Proposed Solution
A better approach than counting on devs to add this code snippet themselves would be to have smart defaults for a pit of success.
I propose the global vars:
webviewCanCreateWebview
[false] - check if a webview can be created from within another webviewinstanceCanCreateWebview
[false] : check if render instances can create<webview>
on the fly
Also a default setting that doesn't allow child <webview>
to have more permissions than their parent would be advisable.
Alternatives Considered
- counting on devs to implement check manually each time (pit of failure)
Additional Information
No response
even is allowed to set its options, like nodeIntegration - which is a serious security issue
The first sentence of the docs you've linked explicitly states (emphasis mine):
A WebView created in a renderer process that does not have Node.js integration enabled will not be able to enable integration itself.
In addition the webPreferences.webviewTag
options defaults to false
already.
But maybe I'm misunderstanding what you are proposing, I'm just trying to make my own app secure and just double checked that webview is disabled by default, so I don't need will-attach-webview
to prevent them.
Could you post a Fiddle that demonstrates what you want to prevent by default? Especially the part about a malicious webview creating a child with more permissions. It'd be scary if that's possible, but like I said webview is disabled by default and not recommended anyway. The webview docs start with:
We currently recommend to not use the webview tag
Hi @Prinzhorn
Just wanted to clarify that the docs I pointed to are the security guide:
A WebView created in a renderer process that does not have Node.js integration enabled will not be able to enable integration itself. **However**, a WebView will always create an independent renderer process with its own webPreferences.
But I didn't know <browserwindow>
was recommended over <webview>
, which can't be used by default. I just started out with the electron docs and the security docs didn't mention to use one over the other.