Meta issue: Security improvement

Open ShGKme opened this issue 3 years ago • 0 comments

Checklist:

[x] Remove SameSite=Lax -> SameSite=None cookies patching (fixed in: https://github.com/nextcloud/talk-desktop/pull/22)
[x] ~~#18~~
[ ] Follow Electron / Best Practices / Security
- [x] 1. Only load secure content
- [x] 2. Do not enable Node.js integration for remote content
- [x] 3. Enable Context Isolation
- [x] 4. Enable process sandboxing
- [ ] 5. Handle session permission requests from remote content
- [x] 6. Do not disable webSecurity (https://github.com/nextcloud/talk-desktop/pull/22)
- [ ] 7. Define a Content Security Policy
- [x] 8. Do not enable allowRunningInsecureContent
- [x] 9. Do not enable experimental features
- [x] 10. Do not use enableBlinkFeatures
- [x] 11. Do not use allowpopups for WebViews
- [x] 12. Verify WebView options before creation
- [x] 13. Disable or limit navigation
- [x] 14. Disable or limit creation of new windows
- [ ] 15. Do not use shell.openExternal with untrusted content
- [x] 16. Use a current version of Electron
- [ ] 17. Validate the sender of all IPC messages
- [x] 18. Avoid usage of the file:// protocol and prefer usage of custom protocols (https://github.com/nextcloud/talk-desktop/pull/1204)
- [ ] 19. Check which fuses you can change
- [x] 20. Do not expose Electron APIs to untrusted web content

Feb 06 '23 22:02 ShGKme