-
Notifications
You must be signed in to change notification settings - Fork 65
PERMISSION_REQUEST_HANDLER_JS_CHECK
When loading remote untrusted content, it is recommended to enable Session’s permissions handler, which can be used to respond to permission requests. It is possible to access the session of existing pages by using the session property of WebContents
, or from the session module.
win = new BrowserWindow()
win.loadURL('https://doyensec.com')
ses = win.webContents.session
console.log(ses.getUserAgent())
Using setPermissionRequestHandler
, it is possible to write custom code to limit specific permissions (e.g., openExternal
) in response to events from particular origins.
ses.setPermissionRequestHandler((webContents, permission, callback) => {
if (webContents.getURL() !== 'https: //doyensec.com' && permission === 'openExternal') {
return callback(false)
} else {
return callback(true)
}
})
The current version of Electron allows control of the following permissions:
- media
- geolocation
- notifications
- midiSysex
- pointerLock
- fullscreen
- openExternal
Please note that Electron’s Session object is a powerful mechanism with access to many properties of the browser sessions, cookies, cache, proxy settings, etc. Use with caution!
This setting can be used to limit the exploitability of certain issues. Not enforcing custom checks for permission requests (e.g. media) could potentially leave the Electron application under full control of the remote origin. For instance, a Cross-Site Scripting vulnerability can be used to access the browser media system and silently record audio/video. While browsers have implemented notifications to inform the user that a remote site is capturing the webcam stream, Electron does not display any notifications.
Review all occurrences of setPermissionRequestHandler
. If used, manually evaluate the implementation and security of the custom callbacks. If not used, the application does not limit session permissions at all, thus the configuration is open to abuses.