CSP_GLOBAL_CHECK

CSP_GLOBAL_CHECK - CSP presence check and review

Electron apps, when possible, should implement a Content Security Policy (CSP) as an additional layer of protection against cross-site scripting and data injection attacks. There are two ways to set a CSP in Electron either via the webRequest.onHeadersReceived handler or directly in the markup using a <meta> tag.

This check determines whether a CSP policy is set or is missing, via JS or HTML:

If a CSP is detected, Electronegativity looks for weak directives using a library based on the csp-evaluator.withgoogle.com online tool.
If no CSP is found, Electronegativity issues a warning.

Risk

CSP allows the server serving content to restrict and control the resources Electron can load for that given web page. For example, https://example.com should be allowed to load scripts from the origins defined while scripts from https://evil.attacker.com should not be allowed to run.

Auditing

Check whether a CSP is defined and use the csp-evaluator.withgoogle.com tool to review its directives.

References

https://github.com/electron/electron/blob/master/docs/tutorial/security.md#6-define-a-content-security-policy

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

CSP_GLOBAL_CHECK

CSP_GLOBAL_CHECK - CSP presence check and review

Risk

Auditing

References

Clone this wiki locally