No More Posting New Topics!

If you have a question or an issue, please start a thread in our Github Discussions Forum.
This forum is closed for new threads/ topics.

Navigation

    Quasar Framework
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Groups
    • Search

    Security warnings when running in Electron dev mode

    Starter Kits
    5
    6
    7178
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P
      pg last edited by

      I am currently building an Electron App using quasar starter kit. (the one with Web Pack and quasar cli)
      When I run in dev mode using quasar dev -m electron, I get 3 security warnings.
      I would like to know if it’s fine or should I try to correct the warnings.

      Warning 1 - Electron Security Warning (Node.js Integration with Remote Content) This renderer process has Node.js integration enabled and attempted to load remote content. This exposes users of this app to severe security risks.

      Question : I checked the “sources” tab and saw nothing else than localhost and webpack… so my guess is it doesn’t matter.

      Warning 2 - Electron Security Warning (Insecure Resources) This renderer process loads resources using insecure protocols. This exposes users of this app to unnecessary security risks. Consider loading the following resources over HTTPS or FTPS.

      Question : After that, I get a bunch of files served by the dev server… so my guess is it doesn’t matter because users will run a production build?

      Warning 3 - Electron Security Warning (Insecure Content-Security-Policy) This renderer process has either no Content Security Policy set or a policy with “unsafe-eval” enabled. This exposes users of this app to unnecessary security risks.

      Question : Where can I put a CSP that restrict loading only to local ressources and prevent the eval function? I tried various things during 1 hour and got nothing working. (in the electron main process js file, and a meta tag in the html template)

      1 Reply Last reply Reply Quote 3
      • J
        jaysaurus last edited by

        I’d like to second this question please.

        1 Reply Last reply Reply Quote 0
        • rstoenescu
          rstoenescu Admin last edited by

          These security warnings can be ignored. While developing the electron app it redirects to the dev server (which is on HTTP) hence the security warnings. Which are valid only for dev mode.

          1 Reply Last reply Reply Quote 4
          • J
            jaysaurus last edited by

            Cool, that’s what I figured but it didn’t hurt to check 🙂

            1 Reply Last reply Reply Quote 0
            • s-light
              s-light last edited by

              is it possible to switch this dev server also to HTTPS?

              i have already switched the ‘dev server’ to HTTPS like mentioned at
              https://quasar.dev/quasar-cli/quasar-conf-js#devServer-Property
              but seems this is only changing the server for SPA mode.

              1 Reply Last reply Reply Quote 0
              • smellydogcoding
                smellydogcoding last edited by smellydogcoding

                Can someone recommend a content security policy setting that will work with a quasar electron app? I currently have

                session.defaultSession.webRequest.onHeadersReceived((details, callback) => {
    callback({ responseHeaders: Object.assign({
      'Content-Security-Policy': [ 'default-src \'self\'' ]
    }, details.responseHeaders) })
  })

                but it keeps the app from running at all because it refuses to run inline scripts. I believe the scripts are being generated by Vue since I don’t have any external content.

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post