no-electron-webview-allowpopups

Disallow enabling allowpopups on Electron <webview> elements.

Targeted pattern scope

Electron <webview> usage with allowpopups enabled.

What this rule reports

JSX <webview> attributes that enable allowpopups.

Why this rule exists

Allowing popups from embedded untrusted content expands attack surface and abuse channels.

❌ Incorrect

const view = <webview allowpopups src="https://example.com" />;

✅ Correct

const view = <webview src="https://example.com" />;

ESLint flat config example

import sdl from "eslint-plugin-sdl-2";

export default [
 {
  plugins: { sdl },

  rules: {
   "sdl/no-electron-webview-allowpopups": "error",
  },
 },
];

When not to use it

Disable only if the embedded content is fully trusted and popup behavior is part of a reviewed application design.

Package documentation

Rule source

Targeted pattern scope​

What this rule reports​

Why this rule exists​

❌ Incorrect​

✅ Correct​

ESLint flat config example​

When not to use it​

Package documentation​

Further reading​