Security warning in the console of BrowserWindow (electron ^9.2.0)

Question

I am new to electron and I am getting this in the console (of DevTools) of every BrowserWindow I open:

webFrame.executeJavaScript was called without worldSafeExecuteJavaScript enabled. This is considered unsafe. worldSafeExecuteJavaScript will be enabled by default in Electron 12.

I am also getting one more security warning and that is:

Electron Security Warning (Insecure Content-Security-Policy) This renderer process has either no Content Security
    Policy set or a policy with "unsafe-eval" enabled. This exposes users of
    this app to unnecessary security risks.

I don't know what exactly I am doing wrong...!!

This is my console window

This is my package.json

Answer 1

webFrame.executeJavaScript and contextIsolation

Add the following setting to your BrowserWindow in main.js

webPreferences { worldSafeExecuteJavaScript: true, contextIsolation: true }

For reference, see:

• https://www.electronjs.org/docs/api/browser-window#class-browserwindow

Insecure Content-Security-Policy

Add the following to the head of your index.html and any other html pages if you are loading locally

<meta http-equiv="Content-Security-Policy" content="script-src 'self'">

For reference, see:

• https://www.electronjs.org/docs/tutorial/security#6-define-a-content-security-policy
• https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP

Answer 2

First add a CSP policy, like this one:

    <meta http-equiv="Content-Security-Policy" content="default-src 'self'">

This may break some scripts, but it's better to do this. Also you can enable unsafe-inline

2. See electron's security recommendations