-
Notifications
You must be signed in to change notification settings - Fork 65
CSP_GLOBAL_CHECK
Electron apps, when possible, should implement a Content Security Policy (CSP) as an additional layer of protection against cross-site scripting and data injection attacks.
There are two ways to set a CSP in Electron either via the
webRequest.onHeadersReceived
handler or directly in the markup using a <meta>
tag.
This check determines whether a CSP policy is set or is missing, via JS or HTML:
- If a CSP is detected, Electronegativity looks for weak directives using a library based on the csp-evaluator.withgoogle.com online tool.
- If no CSP is found, Electronegativity issues a warning.
CSP allows the server serving content to restrict and control the resources Electron can load for that given web page. For example, https://example.com
should be allowed to load scripts from the origins defined while scripts from https://evil.attacker.com
should not be allowed to run.
Check whether a CSP is defined and use the csp-evaluator.withgoogle.com tool to review its directives.