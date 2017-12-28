"Command Line Gui Tools" to make launching Electron apps easier, faster and fun

Only display secure (https) content: <webview :src="'https://' + url" :preload="preloadScript" ></webview>

Disable the Node integration in all renderers that display remote content (setting nodeIntegration to false in webPreferences)

Enable context isolation in all renderers that display remote content (setting contextIsolation to true in webPreferences)

Use ses.setPermissionRequestHandler() in all sessions that load remote content

Do not disable webSecurity. Disabling it will disable the same-origin policy.

Define a Content-Security-Policy , and use restrictive rules (i.e. script-src 'self')

Override and disable eval , which allows strings to be executed as code.

Do not set allowRunningInsecureContent to true.

Do not enable experimentalFeatures or experimentalCanvasFeatures unless you know what you're doing.

Do not use blinkFeatures unless you know what you're doing.

WebViews: Do not add the nodeintegration attribute.

WebViews: Do not use disablewebsecurity

WebViews: Do not use allowpopups

WebViews: Do not use insertCSS or executeJavaScript with remote CSS/JS.