Python
JavaScript
Java
Go
C#
Ansible
AWS CloudFormation Linter
C & C++
Dart Analyze
Docker
Kotlin
KubeLinter
PHP
Ruby
Rust
Scala
Secrets
Shell
Slither
Solhint
SQL
Swift
Terraform
Test coverageContext isolation is disabled in ElectronJS-S1020
Critical
Security a03, sans-top-25, owasp-top-10, cwe-94, 2021
Context isolation is an Electron feature that allows developers to run code in preload scripts and in Electron APIs in a dedicated JavaScript context. This is important for security purposes as it helps prevent the website from accessing Electron internals or the powerful APIs your preload script has access to.
Context isolation has been enabled by default since Electron 12, and it is a recommended security setting for all applications.
Even when nodeIntegration: false is used, to truly enforce strong isolation and prevent the use of Node primitives contextIsolation must also be used.
Bad Practice
const { BrowserWindow } = require('electron')
const mainWindow = new BrowserWindow({
webPreferences: {
contextIsolation: false // `contextIsolation` should not be set to false
}
})
Recommended
const { BrowserWindow } = require('electron')
const mainWindow = new BrowserWindow({
// alternatively: Do not set these properties in the preferences object, as they're configured correctly by default.
webPreferences: {
contextIsolation: true
}
})