-
Notifications
You must be signed in to change notification settings - Fork 68
PERMISSION_REQUEST_HANDLER_GLOBAL_CHECK
PERMISSION_REQUEST_HANDLER_GLOBAL_CHECK - Detect missing setPermissionRequestHandler for untrusted origins
This Global check detects if the atomic PERMISSION_REQUEST_HANDLER_JS_CHECK is missing, meaning that the setPermissionRequestHandler is not set in the target application.
This setting can be used to limit the exploitability of certain issues. Not enforcing custom checks for permission requests (e.g. media) could potentially leave the Electron application under full control of the remote origin. For instance, a Cross-Site Scripting vulnerability can be used to access the browser media system and silently record audio/video. While browsers have implemented notifications to inform the user that a remote site is capturing the webcam stream, Electron does not display any notifications.
Review all occurrences of setPermissionRequestHandler. If used, manually evaluate the implementation and security of the custom callbacks. If not used, the application does not limit session permissions at all, thus the configuration is open to abuses.