Skip to main content

no-electron-webview-node-integration

Disallow Electron <webview> configurations that enable node integration.

Targeted pattern scopeโ€‹

Electron <webview> configurations enabling node integration flags.

What this rule reportsโ€‹

webview nodeintegration/nodeintegrationinsubframes/webpreferences node-integration flags.

Why this rule existsโ€‹

Node integration in untrusted renderer contexts can break isolation and enable code-execution paths.

โŒ Incorrectโ€‹

const view = <webview nodeintegration src="https://example.com" />;

โœ… Correctโ€‹

const view = <webview src="https://example.com" webpreferences="sandbox=yes" />;

ESLint flat config exampleโ€‹

import sdl from "eslint-plugin-sdl-2";

export default [
 {
  plugins: { sdl },

  rules: {
   "sdl/no-electron-webview-node-integration": "error",
  },
 },
];

When not to use itโ€‹

Disable only for legacy webview flows with documented trust guarantees and compensating isolation controls.

Package documentationโ€‹

Further readingโ€‹

Rule catalog ID: R039