New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Preload script does not have access to global window object when contextIsolation is set to true #15715
Comments
👋 Thanks for opening your first issue here! If you're reporting a 🐞 bug, please make sure you include steps to reproduce it. We get a lot of issues on this repo, so please be patient and we will get back to you as soon as we can. To help make it easier for us to investigate your issue, please follow the contributing guidelines. |
This is expected behaviour. |
@nornagon Would it be okay for me to open a pr changing the documentation to reflect this expected behavior? |
Sure! |
As far as I understand, |
a) those are the _default_, not the only option
b) this is not the appropriate place to discuss those features, as this PR
doesn't affect those features.
…On Fri, Jan 18, 2019 at 12:02 DevJac ***@***.***> wrote:
As far as I understand, nodeIntegration: false and contextIsolation: true
will become default in the future. If that is the case, I see no way of
using node features inside a rendering process? Is the intention to not use
any node features in the rendering process going forward?
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#15715 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AAKjACzeUPHKVUn9CaznKq1kLc94SqPqks5vEihvgaJpZM4YeVWI>
.
|
Thanks for the quick reply. So Electron will be more secure by default, but people can enable You said "this PR doesn't affect those features", but this isn't a pull request as best I can tell? I will look into making a PR to update the documentation. Thanks again. EDIT: It looks like there is already a PR for updating the documentation: #15738 |
To visitor from the future: How to access BrowserWindow 'from' preload with contextIsolation true. |
node_modules/.bin/electron --version
: 3.0.9node_modules/.bin/electron --version
on last known working Electron version (if applicable): 3.0.9Expected Behavior
A preload script ran when opening a browserwindow with contextIsolation set to true should have access to global window and document objects.
Actual behavior
With contextIsolation enabled on the browserwindow, the preload script will run and can add objects to the global window object, but the rendered content will not have the same global window object as the preload script.
To Reproduce
set up a browserWindow with
webpreferences { nodeIntegration: false, contextIsolation: true, preload: 'path/to/preload' }
preload.js =>
window.hello = 'hello'
remote web app =>
console.log(window.hello) = "undefined"
Additional Information
Alternatively you can turn sandbox on, and contextisolation off and everything works as the docs describe and there are no security warnings. Is this the new alternative or is this still not a secure way to handle this use case.
Several users have reported that after version 1.0.8 contextisolation set to true did not give the preload script access to the global window object of what is rendered, is this an intended change? If so maybe the documentation could be updated. The browserwindow documentation under the contextIsolation heading: "The context that the preload script runs in will still have full access to the document and window globals"
Related issues: kewde/electron-sandbox-boilerplate#14 #13134
Thanks
The text was updated successfully, but these errors were encountered: