no-electron-disable-web-security

Disallow disabling Electron webPreferences.webSecurity for renderer contexts.

Targeted pattern scope

This rule targets Electron BrowserWindow and BrowserView constructor options that set webPreferences.webSecurity to false.

What this rule reports

This rule reports webPreferences.webSecurity: false in Electron renderer configuration objects.

Why this rule exists

Turning off webSecurity removes browser-origin protections and expands the attack surface for untrusted renderer content.

❌ Incorrect

new BrowserWindow({
 webPreferences: {
  webSecurity: false,
 },
});

✅ Correct

new BrowserWindow({
 webPreferences: {
  webSecurity: true,
 },
});

ESLint flat config example

import sdl from "eslint-plugin-sdl-2";

export default [
 {
  plugins: { sdl },
  rules: {
   "sdl/no-electron-disable-web-security": "error",
  },
 },
];

When not to use it

Disable only for tightly controlled offline renderer scenarios with explicit compensating controls and no untrusted content.

Package documentation

Rule source

Targeted pattern scope​

What this rule reports​

Why this rule exists​

❌ Incorrect​

✅ Correct​

ESLint flat config example​

When not to use it​

Package documentation​

Further reading​