Disclaimer: It is still under research, this guide can be extended.

Security Checklist

• [ ] loadURL loads only https:// links
• [ ] nodeIntegration is disabled (false)
• [ ] contextIsolation is enabled (true)
• [ ] sandbox is enabled (true)
• [ ] Permission request handlers are implemented (.setPermissionRequestHandler)
• [ ] webSecurity is enabled (true)
• [ ] Content Security Policy (CSP) is defined
• [ ] allowRunningInsecureContent is not used or is set to (false)
• [ ] experimentalFeatures is disabled or not used (false)
• [ ] enableBlinkFeatures is not used
• [ ] <webview> tag does not use allowpopups
• [ ] Application overwrites events new-window and will-navigate, and other event listeners
• [ ] Application limits content to only from trusted origins (review navigation)
• [ ] Verify WebView options before creation (reduce the attack vector for reading internal files through the <webview> tag)
• [ ] Application limits the URL protocol before calling the shell.openExternal function invoke (http://, https://) or informs the user and provides a consent page that opening the next page can be a malicious action

Review Methodology