Would It Be Safe To Enable Nodeintegration In Electron On A Local Page That Is Packaged With The App?
Solution 1:
TL;DR: Enabling nodeIntegration
only imposes risks if you load and execute code from untrusted sources, i.e. the internet or from user input.
If you are completely sure that your application will only run the code you have created (and no NodeJS module loads scripts from the internet), basically, there is no to very little risk if enabling nodeIntegration
.
However, if you allow the user to run code (i.e. input and then eval
it) or you provide plug-in APIs from which you do not have any control over the plug-ins loaded, the risk level rises because NodeJS allows any NodeJS script, ex., to manipulate the filesystem.
On the other hand, if you disable nodeIntegration
, you have no way of communicating with the main process or manipulating the BrowserWindow
, thus cannot create custom window controls.
Solution 2:
Keep in mind, that in year 2021 you do not need nodeIntegration
to communicate with the main
process from the renderer
process.
Instead, you use message passing, like this:
main.js
const {app, BrowserWindow, ipcMain} = require("electron");
const path = require("path");
app.whenReady().then(open_window);
functionopen_window() {
// Explain: Create app window.const appWin = newBrowserWindow({
width: 800,
height: 600,
opacity: 0.5,
webPreferences: {
preload: path.join(__dirname, "preload.js"),
},
// Explain: Render the app.void minisWindow.loadFile("index.html");
// Spec: User can hide App window by clicking the button.
ipcMain.on("hide-me", () => appWin.minimize());
// Spec-start: When User focuses App window - it becomes fully opaque.
ipcMain.on("make-window-opaque", () => appWin.setOpacity(1));
appWin.on("show", () => minisWindow.setOpacity(1));
appWin.on("blur", () => minisWindow.setOpacity(0.5));
// Spec-end.
}
preload.js
const {ipcRenderer} = require("electron");
// All of the Node.js APIs are available in the preload process.// It has the same sandbox as a Chrome extension.window.addEventListener("DOMContentLoaded", () => {
// Spec: User can hide App window by clicking the button.document.querySelector("#hideBtn").addEventListener("click",
() => ipcRenderer.send("hide-me"));
});
// Spec: When User focuses App window - it becomes fully opaque.document.body.addEventListener("click", () => ipcRenderer.send("make-window-opaque"));
});
This example illustrates two instances of message passing:
- When User clicks the
#hideBtn
button - a message is dispatched that instructsmain
to hide the window. - By default the window is half-transparent; when User clicks on the window (essentially, activating the
clickz
event on thebody
) - a message is dispatched that instructsmain
to make the window fully opaque.
Post a Comment for "Would It Be Safe To Enable Nodeintegration In Electron On A Local Page That Is Packaged With The App?"