Content Security Policy (CSP)
Examples


Example Electron Content-Security-Policy warning

If you don't set a Content-Security-Policy in your electron app, You might see a message like this in the developer tools console:

Electron Security Warning (Insecure Content-Security-Policy)
This renderer process has either no Content Security Policy set or a policy with "unsafe-eval" enabled. This exposes users of this app to unnecessary security risks.
For more information and help, consult https://electronjs.org/docs/tutorial/security. This warning will not show up once the app is packaged.

The Electron Security Warning was added in Electron 6.

Adding a Content-Security-Policy to Electron Apps

Probably one of the easier ways to do this is to use the HTML Meta Tag to add a Content Security Policy.

For example:

<meta http-equiv="Content-Security-Policy" content="default-src 'self'">

Removing unsafe-eval

If your Electron App does have a Content-Security-Policy set, but has to use unsafe-eval, then take a look through your JavaScript code for calls to the eval() function and see if they can be removed. If the eval call is in third party libraries, see if you can update it. Sometimes older versions of libraries have a call to eval, and newer versions have been fixed to avoid it.

CSP Developer Field Guide

CSP Developer Field Guide

Want to learn more about CSP on the double? Grab a copy of the CSP Developer Field Guide. It's a short and sweet guide to help developers get up to speed quickly.

Grab a Copy