talk-desktop Meta issue: Security improvement

Meta issue: Security improvement

Open ShGKme opened this issue 2 years ago • 0 comments

[x] Remove SameSite=Lax -> SameSite=None cookies patching (fixed in: https://github.com/nextcloud/talk-desktop/pull/22)
[ ] #18
[ ] Follow Electron / Best Practices / Security
- [x] 1. Only load secure content
- [x] 2. Do not enable Node.js integration for remote content
- [x] 3. Enable Context Isolation
- [x] 4. Enable process sandboxing
- [ ] 5. Handle session permission requests from remote content
- [x] 6. Do not disable webSecurity (https://github.com/nextcloud/talk-desktop/pull/22)
- [ ] 7. Define a Content Security Policy
- [x] 8. Do not enable allowRunningInsecureContent
- [x] 9. Do not enable experimental features
- [x] 10. Do not use enableBlinkFeatures
- [x] 11. Do not use allowpopups for WebViews
- [ ] 12. Verify WebView options before creation
- [ ] 13. Disable or limit navigation
- [x] 14. Disable or limit creation of new windows
- [ ] 15. Do not use shell.openExternal with untrusted content
- [x] 16. Use a current version of Electron
- [ ] 17. Validate the sender of all IPC messages
- [ ] 18. Avoid usage of the file:// protocol and prefer usage of custom protocols
- [x] 19. Check which fuses you can change

Feb 06 '23 22:02 ShGKme