Security warnings when running in Electron dev mode



  • I am currently building an Electron App using quasar starter kit. (the one with Web Pack and quasar cli)
    When I run in dev mode using quasar dev -m electron, I get 3 security warnings.
    I would like to know if it’s fine or should I try to correct the warnings.

    Warning 1 - Electron Security Warning (Node.js Integration with Remote Content) This renderer process has Node.js integration enabled and attempted to load remote content. This exposes users of this app to severe security risks.

    Question : I checked the “sources” tab and saw nothing else than localhost and webpack… so my guess is it doesn’t matter.

    Warning 2 - Electron Security Warning (Insecure Resources) This renderer process loads resources using insecure protocols. This exposes users of this app to unnecessary security risks. Consider loading the following resources over HTTPS or FTPS.

    Question : After that, I get a bunch of files served by the dev server… so my guess is it doesn’t matter because users will run a production build?

    Warning 3 - Electron Security Warning (Insecure Content-Security-Policy) This renderer process has either no Content Security Policy set or a policy with “unsafe-eval” enabled. This exposes users of this app to unnecessary security risks.

    Question : Where can I put a CSP that restrict loading only to local ressources and prevent the eval function? I tried various things during 1 hour and got nothing working. (in the electron main process js file, and a meta tag in the html template)



  • I’d like to second this question please.


  • Admin

    These security warnings can be ignored. While developing the electron app it redirects to the dev server (which is on HTTP) hence the security warnings. Which are valid only for dev mode.



  • Cool, that’s what I figured but it didn’t hurt to check 🙂



  • is it possible to switch this dev server also to HTTPS?

    i have already switched the ‘dev server’ to HTTPS like mentioned at
    https://quasar.dev/quasar-cli/quasar-conf-js#devServer-Property
    but seems this is only changing the server for SPA mode.



  • Can someone recommend a content security policy setting that will work with a quasar electron app? I currently have

    session.defaultSession.webRequest.onHeadersReceived((details, callback) => {
        callback({ responseHeaders: Object.assign({
          'Content-Security-Policy': [ 'default-src \'self\'' ]
        }, details.responseHeaders) })
      })
    

    but it keeps the app from running at all because it refuses to run inline scripts. I believe the scripts are being generated by Vue since I don’t have any external content.


Log in to reply