ajinabraham.njsscan.security_electron.electron_disable_websecurity

profile photo of ajinabrahamajinabraham
Author
1,129
Download Count*
GPLv3
License

Disabling webSecurity will disable the same-origin policy and allows the execution of insecure code from any domain.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit RuleView Source
Open in Playground 
rules:
  - id: electron_disable_websecurity
    patterns:
      - pattern-either:
          - pattern: |
              new BrowserWindow({webPreferences: {webSecurity: false}})
          - pattern: |
              var $X = {webPreferences: {webSecurity: false}};
    message: Disabling webSecurity will disable the same-origin policy and allows
      the execution of insecure code from any domain.
    languages:
      - javascript
    severity: ERROR
    metadata:
      owasp-web: a6
      cwe: cwe-346
      license: LGPL-3.0-or-later