Skip to content

Meta issue: Security improvement #9

New issue
New issue
Open
Open
Meta issue: Security improvement#9
Assignees
ShGKme
Labels
bugSomething isn't workingmedium
@ShGKme

Description

@ShGKme
ShGKme
opened on Feb 6, 2023
  • Remove SameSite=Lax -> SameSite=None cookies patching (fixed in: Complete Accounts Window #22)
  • Store credentials in the safeStorage #18
  • Follow Electron / Best Practices / Security
    • 1. Only load secure content
    • 2. Do not enable Node.js integration for remote content
    • 3. Enable Context Isolation
    • 4. Enable process sandboxing
    • 5. Handle session permission requests from remote content
    • 6. Do not disable webSecurity (Complete Accounts Window #22)
    • 7. Define a Content Security Policy
    • 8. Do not enable allowRunningInsecureContent
    • 9. Do not enable experimental features
    • 10. Do not use enableBlinkFeatures
    • 11. Do not use allowpopups for WebViews
    • 12. Verify WebView options before creation
    • 13. Disable or limit navigation
    • 14. Disable or limit creation of new windows
    • 15. Do not use shell.openExternal with untrusted content
    • 16. Use a current version of Electron
    • 17. Validate the sender of all IPC messages
    • 18. Avoid usage of the file:// protocol and prefer usage of custom protocols
    • 19. Check which fuses you can change

Activity

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Metadata

Metadata

Assignees

Labels

bugSomething isn't workingmedium

Type

No type

Projects

💬 Talk team

  • Status

    🧭 Planning evaluation (don't pick)

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions