diff --git a/docs/api/browser-window.md b/docs/api/browser-window.md index 47b3ca0fdd679..67284a270fc19 100644 --- a/docs/api/browser-window.md +++ b/docs/api/browser-window.md @@ -348,9 +348,9 @@ It creates a new `BrowserWindow` with native properties as set by the `options`. You can access this context in the dev tools by selecting the 'Electron Isolated Context' entry in the combo box at the top of the Console tab. - * `worldSafeExecuteJavaScript` Boolean (optional) - Whether to ensure JS values - can't unsafely cross worlds when using `webFrame.executeJavaScript`. The default - is `false` though this will be irreversibly be changing to `true` in Electron 12. + * `worldSafeExecuteJavaScript` Boolean (optional) - If true, values returned from `webFrame.executeJavaScript` will be sanitized to ensure JS values + can't unsafely cross between worlds when using `contextIsolation`. The default + is `false`. In Electron 12, the default will be changed to `true`. _Deprecated_ * `nativeWindowOpen` Boolean (optional) - Whether to use native `window.open()`. Defaults to `false`. Child windows will always have node integration disabled unless `nodeIntegrationInSubFrames` is true. **Note:** This option is currently diff --git a/lib/renderer/api/web-frame.ts b/lib/renderer/api/web-frame.ts index de5c0206e935f..cb13c0fe54899 100644 --- a/lib/renderer/api/web-frame.ts +++ b/lib/renderer/api/web-frame.ts @@ -58,7 +58,7 @@ for (const name in binding) { // use a neat `keyof` here (WebFrame as any).prototype[name] = function (...args: Array) { if (!worldSafeJS && name.startsWith('executeJavaScript')) { - deprecate.log(`Security Warning: webFrame.${name} was called without worldSafeExecuteJavaScript set to true. This is considered unsafe and the default of worldSafeExecuteJavaScript will be changing to true in Electron 12.`); + deprecate.log(`Security Warning: webFrame.${name} was called without worldSafeExecuteJavaScript enabled. This is considered unsafe. worldSafeExecuteJavaScript will be enabled by default in Electron 12.`); } return binding[name](this.context, ...args); };