Introduces PERMISSION_REQUEST_HANDLER_GLOBAL_CHECK, resolves #24

doyensec / electronegativity

Electronegativity is a tool to identify misconfigurations and security anti-patterns in Electron applications.

Apache License 2.0

972 stars 66 forks source link

Introduces PERMISSION_REQUEST_HANDLER_GLOBAL_CHECK, resolves #24 #43

Closed phosphore closed 5 years ago

phosphore commented 5 years ago

Following @ikkisoft's review on #41, the setPermissionRequestHandler checks and the on() check for 'will-navigate' and 'new-window' events will be split in two different checks and consequently, two different PR.

This PR introduces the PERMISSION_REQUEST_HANDLER_GLOBAL_CHECK, checking for the absence of setPermissionRequestHandler to limit specific permissions (e.g. openExternal) in response to events from particular origins.

phosphore commented 5 years ago

Updated the wiki accordingly:

https://github.com/doyensec/electronegativity/wiki/PERMISSION_REQUEST_HANDLER_JS_CHECK
https://github.com/doyensec/electronegativity/wiki/PERMISSION_REQUEST_HANDLER_GLOBAL_CHECK