How do I set the Content Security Policy?


#1

My electron app always emits a security warning at start-up.

/node_modules/electron/dist/resources/electron.asar/renderer/security-warnings.js:188 Electron Security Warning (Insecure Content-Security-Policy) This renderer process has either no Content Security Policy set or a policy with "unsafe-eval" enabled. This exposes users of this app to unnecessary security risks.

For more information and help, consult https://electronjs.org/docs/tutorial/security.
This warning will not show up once the app is packaged.

Naturally I’d like my app to be as secure as possible, so I want to fix this. However:

  • The code samples in the documentation don’t really work, except defining the CSP meta tag (See https://electronjs.org/docs/tutorial/security section 6)
  • That would solve it, except the documentation seems to (hesitantly) recommend against it. Why is setting the meta tag not right?
  • electron-quick-start, and other boilerplates I can find, do not address this issue at all. If security is important, then the samples should recommend to do the right thing, don’t you think?

I’m not the only one with this question, see this on stackoverflow: https://stackoverflow.com/questions/51969512/define-csp-http-header-in-electron-app


#2

Would also love a simple explanation and fix.