Electron
/
electron
зеркало из https://github.com/electron/electron.git
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

Merge pull request #8456 from yuya-oc/docs-security 

Add to security checklist about permission requests
This commit is contained in:
Kevin Sawicki 2017-01-20 08:04:01 -08:00 коммит произвёл GitHub
Родитель 8a22139d57 11f2574fda
Коммит edcea3e800
1 изменённых файлов: 2 добавлений и 1 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

3
docs/tutorial/security.md
Просмотреть файл

@ -56,8 +56,9 @@ This is not bulletproof, but at the least, you should attempt the following:
* Only display secure (https) content * Only display secure (https) content
* Disable the Node integration in all renderers that display remote content * Disable the Node integration in all renderers that display remote content
(setting `nodeIntegration` to `false` in `webPreferences`) (setting `nodeIntegration` to `false` in `webPreferences`)
* Enable context isolation in all rendererers that display remote content * Enable context isolation in all renderers that display remote content
(setting `contextIsolation` to `true` in `webPreferences`) (setting `contextIsolation` to `true` in `webPreferences`)
* Use `ses.setPermissionRequestHandler()` in all sessions that load remote content
* Do not disable `webSecurity`. Disabling it will disable the same-origin policy. * Do not disable `webSecurity`. Disabling it will disable the same-origin policy.
* Define a [`Content-Security-Policy`](http://www.html5rocks.com/en/tutorials/security/content-security-policy/) * Define a [`Content-Security-Policy`](http://www.html5rocks.com/en/tutorials/security/content-security-policy/)
, and use restrictive rules (i.e. `script-src 'self'`) , and use restrictive rules (i.e. `script-src 'self'`)