Security warnings when running in Electron dev mode



  • I am currently building an Electron App using quasar starter kit. (the one with Web Pack and quasar cli)
    When I run in dev mode using quasar dev -m electron, I get 3 security warnings.
    I would like to know if it’s fine or should I try to correct the warnings.

    Warning 1 - Electron Security Warning (Node.js Integration with Remote Content) This renderer process has Node.js integration enabled and attempted to load remote content. This exposes users of this app to severe security risks.

    Question : I checked the “sources” tab and saw nothing else than localhost and webpack… so my guess is it doesn’t matter.

    Warning 2 - Electron Security Warning (Insecure Resources) This renderer process loads resources using insecure protocols. This exposes users of this app to unnecessary security risks. Consider loading the following resources over HTTPS or FTPS.

    Question : After that, I get a bunch of files served by the dev server… so my guess is it doesn’t matter because users will run a production build?

    Warning 3 - Electron Security Warning (Insecure Content-Security-Policy) This renderer process has either no Content Security Policy set or a policy with “unsafe-eval” enabled. This exposes users of this app to unnecessary security risks.

    Question : Where can I put a CSP that restrict loading only to local ressources and prevent the eval function? I tried various things during 1 hour and got nothing working. (in the electron main process js file, and a meta tag in the html template)