If you don't set a
Content-Security-Policy in your electron app, You might see a message like this in the developer tools console:
Electron Security Warning (Insecure Content-Security-Policy)
This renderer process has either no Content Security Policy set or a policy with "unsafe-eval" enabled. This exposes users of this app to unnecessary security risks.
For more information and help, consult https://electronjs.org/docs/tutorial/security. This warning will not show up once the app is packaged.
The Electron Security Warning was added in Electron 6.
Probably one of the easier ways to do this is to use the HTML Meta Tag to add a Content Security Policy.
<meta http-equiv="Content-Security-Policy" content="default-src 'self'">
If your Electron App does have a
Content-Security-Policy set, but has to use
eval() function and see if they can be removed. If the eval call is in third party libraries, see if you can update it. Sometimes older versions of libraries have a call to eval, and newer versions have been fixed to avoid it.
Want to learn the ins and outs CSP? Grab a copy of the CSP Developer Field Guide. It's a short and sweet guide to help developers get up to speed quickly.Grab a Copy
Advisory Week is a weekly roundup of all the security advisories published by the major software vendors.