Content Security Policy (CSP)

Example Electron Content-Security-Policy warning

If you don't set a Content-Security-Policy in your electron app, You might see a message like this in the developer tools console:

Electron Security Warning (Insecure Content-Security-Policy)
This renderer process has either no Content Security Policy set or a policy with "unsafe-eval" enabled. This exposes users of this app to unnecessary security risks.
For more information and help, consult This warning will not show up once the app is packaged.

The Electron Security Warning was added in Electron 6.

Adding a Content-Security-Policy to Electron Apps

Probably one of the easier ways to do this is to use the HTML Meta Tag to add a Content Security Policy.

For example:

<meta http-equiv="Content-Security-Policy" content="default-src 'self'">

Removing unsafe-eval

If your Electron App does have a Content-Security-Policy set, but has to use unsafe-eval, then take a look through your JavaScript code for calls to the eval() function and see if they can be removed. If the eval call is in third party libraries, see if you can update it. Sometimes older versions of libraries have a call to eval, and newer versions have been fixed to avoid it.

CSP Developer Field Guide

CSP Developer Field Guide

Want to learn the ins and outs CSP? Grab a copy of the CSP Developer Field Guide. It's a short and sweet guide to help developers get up to speed quickly.

Grab a Copy

Struggling to stay on top of security advisories?

Advisory Week is a weekly roundup of all the security advisories published by the major software vendors.