45

I've created Electron-Vuejs-Vuetify project from this Vuetify's boilerplate

I'm seeing this warning in the console:

Electron Security Warning 
This renderer process has Node.js integration enabled and 
attempted to load remote content. This exposes users of this app to severe security risks.

For more information and help, consult https://electronjs.org/docs/tutorial/security

Question:

What can possible cause that - Node, Vue.js, webpack's localhost config? What should I do?

Un1
  • 3,874
  • 12
  • 37
  • 79
  • Don't really get your question, are you asking why you're seeing that warning? or what exactly are you asking? – antzshrek Feb 18 '18 at 17:23
  • @antzshrek well, it cannot be a good thing to have a warning in your app. It means something is doing something it shouldn't do, so I'm trying to understand what broke and how to fix it – Un1 Feb 18 '18 at 17:29
  • Yea, something was wrong. – antzshrek Feb 18 '18 at 17:40
  • 4
    I used https://github.com/SimulatedGREG/electron-vue boilerplate and I have the same issue. Thank you for a good question! – Alex Pilugin Feb 19 '18 at 09:51

7 Answers7

37

Add the following line to main.js:

process.env['ELECTRON_DISABLE_SECURITY_WARNINGS'] = 'true';

However you should read Security, Native Capabilities, and Your Responsibility to fully understand the implications of doing so.

netlander
  • 1,128
  • 1
  • 11
  • 12
  • 4
    Yeah, I added that, but it's not the main concern. I was trying to figure out **why** does Chrome displays those scary warnings in a newly created Electron project. There's 2 issues on Github regarding this issue, and still no info on how to fix those "security problems" – Un1 Jul 11 '18 at 17:52
  • 1
    It's related to a potential security vulnerability when you try to access content through something like "http-//example.com" in your code. Using relative paths will stop the warnings, they also won't show in a production build only when the developer is looking at the console in dev. – netlander Jul 13 '18 at 10:32
  • What does `process` refer to? – bluenote10 Feb 10 '19 at 14:17
  • 2
    @netlander could you expand on that? I only use relative paths and I'm getting the warning. I also have `nodeIntegration: true` but I need that. – Marc Apr 01 '19 at 20:02
  • @bluenote10 `process` is something provided by NodeJS that contains a lot information about the running process of your Node/application instance – paddotk Jul 28 '19 at 02:44
33

You're having this:

Electron Security Warning This renderer process has Node.js integration enabled and attempted to load remote content. This exposes users of this app to severe security risks.

Because from the 2nd Security Recommendations from Electron Documentation

2) Disable Node.js Integration for Remote Content

It is paramount that you disable Node.js integration in any renderer (BrowserWindow, BrowserView, or WebView) that loads remote content. The goal is to limit the powers you grant to remote content, thus making it dramatically more difficult for an attacker to harm your users should they gain the ability to execute JavaScript on your website.

After this, you can grant additional permissions for specific hosts. For example, if you are opening a BrowserWindow pointed at "https://my-website.com/", you can give that website exactly the abilities it needs, but no more.

Why?

A cross-site-scripting (XSS) attack is more dangerous if an attacker can jump out of the renderer process and execute code on the user's computer. Cross-site-scripting attacks are fairly common - and while an issue, their power is usually limited to messing with the website that they are executed on. Disabling Node.js integration helps prevent an XSS from being escalated into a so-called "Remote Code Execution" (RCE) attack.

How?

// Bad
const mainWindow = new BrowserWindow()
mainWindow.loadURL('https://my-website.com')

// Good
const mainWindow = new BrowserWindow({
  webPreferences: {
    nodeIntegration: false,
    preload: './preload.js'
  }
})

mainWindow.loadURL('https://my-website.com')

<!-- Bad -->
<webview nodeIntegration src="page.html"></webview>

<!-- Good -->
<webview src="page.html"></webview>

When disabling Node.js integration, you can still expose APIs to your website that do consume Node.js modules or features. Preload scripts continue to have access to require and other Node.js features, allowing developers to expose a custom API to remotely loaded content.

In the following example preload script, the later loaded website will have access to a window.readConfig() method, but no Node.js features.

const { readFileSync } = require('fs')

window.readConfig = function () {
  const data = readFileSync('./config.json')
  return data
}

Therefore you're been warned so that you can Disable Node.js Integration for Remote Content.

I hope this helps answer your question.

benomatis
  • 5,536
  • 7
  • 36
  • 59
antzshrek
  • 9,276
  • 5
  • 26
  • 43
  • 6
    Thank you for the explanation. But unfortunately that doesn't help. I added `nodeIntegration: false,` to the webPreferences of the `mainWindow`, but now I see 2 `Uncaught ReferenceError: module is not defined`, which are pointing to the `` tag in the "index.js" file and the "renderer.js" file (webpack's file that loads modules I suppose) – Un1 Feb 18 '18 at 17:52
  • 2
    When I hover over the `renderer.js` error I can see it's pointing to `http://localhost:9080/renderer.js` perhaps webpack is doing something in the dev mode that electron doesn't like. mainWindow loads this as the url: **const winURL = process.env.NODE_ENV === 'development' ? `http://localhost:9080` : `file://${__dirname}/index.html`** So maybe Electron doesn't like a localhost address thinking that it loads some external website? – Un1 Feb 18 '18 at 17:56
  • can you try `https://localhost:9080` instead of the `http://localhost:9080` – antzshrek Feb 18 '18 at 18:09
  • 1
    It shows me Failed to load resource: net::ERR_SSL_PROTOCOL_ERROR. I tried creating a new project from the boilerplate and now I'm seeing this error right away without even doing anything myself. I guess there's a problem with the boilerplate – Un1 Feb 18 '18 at 18:33
  • 1
    The question is not so much, "what is the cause of the exception", so much as "how can I find out what is making the remote request?". I have the same problem with my own Vue/Electron app. None of my own code is making external calls - but something in my boilerplate is doing otherwise. I can't find out what. – Jimmy Breck-McKye Feb 22 '18 at 17:20
  • 4
    @JimmyBreck-McKye everyone is seeing this warning after the last `electron-vue` boilerplate update – Un1 Feb 22 '18 at 17:24
  • 2
    @Un1 Yeah, I gave up with that boilerplate some time yesterday afternoon. I'm actually writing my own as we speak that tries to resolve these issues. From what I can tell the problem is that if electron is running from webpack-dev-server, the window.location.protocol not being 'file' makes Electron throw the error. – Jimmy Breck-McKye Feb 22 '18 at 17:27
  • @JimmyBreck-McKye right, it uses `http://localhost:9080` during dev. So you think that's what throws Electron off and makes it think that it's loading some remote resource? Well, good luck with that project, though wouldn't it be less time consuming to simply fix the `SimulatedGREG/electron-vue` and push request the bug fix, instead of creating a new project? – Un1 Feb 22 '18 at 17:35
  • @Un1 There are a few other things I wanted to add, like Parcel. And electron-vue just doesn't work at all locally as of the most recent release. But yeah, that's what I think is going wrong. – Jimmy Breck-McKye Feb 22 '18 at 17:37
13

The Electron security checklist mentions how to deal with the security warning. In particular, when serving index.html from file: protocol (where you can't use HTTP CSP headers), it is possible to use the meta tag for the same purpose, as documented in the security checklist here: CSP HTTP header.

It recommends to use

<meta http-equiv="Content-Security-Policy" content="default-src 'none'" />

…but I have found (got help on GitHub here) this one to be more practical as it allows one to use script src:

<meta http-equiv="Content-Security-Policy" content="script-src 'self';" />

More on CSP on content-security-policy.com.

Tomáš Hübelbauer
  • 9,179
  • 14
  • 63
  • 125
7

Add

process.env['ELECTRON_DISABLE_SECURITY_WARNINGS'] = 'true';

Like this and the error message will go away.

enter image description here

Adrian Smith
  • 1,013
  • 1
  • 13
  • 21
5

The newer version of the electron Vue template has these warnings that were previously disabled in the beta using:

process.env['ELECTRON_DISABLE_SECURITY_WARNINGS'] = 'true';

Which now requires you to do the following inside your index.js:

process.env.ELECTRON_DISABLE_SECURITY_WARNINGS = '1';
li x
  • 3,953
  • 2
  • 31
  • 51
1

From Electron 2.0 on, developers will see warnings and recommendations printed to the developer console. They only show up when the binary's name is Electron, indicating that a developer is currently looking at the console.

I would suggest you to follow Electron official Security Recommendations checklist to avoid these warnings https://github.com/electron/electron/blob/master/docs/tutorial/security.md

GorvGoyl
  • 42,508
  • 29
  • 229
  • 225
  • 4
    It's not the point, people are confused because those warnings make you think that you did something wrong and made your app extremely dangerous to use – Un1 Sep 14 '18 at 08:28
0

TLDR: Disable eval() in your BrowserWindow options.

I just went through this process on the latest electron, vue etc. and the solution is to disable eval() which can be a security risk due to it executing code which is not from you (or your app).

Add the allowEval: false to your webPreferences during window creation to prevent the warning cleanly:

const win = new electron.BrowserWindow({
    webPreferences: {
        allowEval: false // This is the key!
    }
});

Some background info: electron actually tries to execute some javascript code (from a string using require('electron').executeJavaScript) and, if it succeeds, it considers your code unsafe.

Marc
  • 13,011
  • 11
  • 78
  • 98