[Bug]: Unable to load preload script due enable sandbox by default

[oalfroukh]

Preflight Checklist

• I have read the Contributing Guidelines for this project.
• I agree to follow the Code of Conduct that this project adheres to.
• I have searched the issue tracker for a bug report that matches the one I want to file, without success.

Electron Version

21.3.1

What operating system are you using?

Windows

Operating System Version

Windows 10.0.19041

What arch are you using?

x64

Last Known Working Electron version

19.1.6

Expected Behavior

Loading preload script without issues.

Actual Behavior

Unable to load preload script due to Error: module not found: inversify

Testcase Gist URL

No response

Additional Information

• We are using InversifyJS library to inversion of control (IoC) container for TypeScript in both the main and renderer process in our project, it's OK on the main process while not on the renderer process.

• Electron v20 has a breaking change feat: sandbox preloads by default #35125 , after enabling sandbox we got an error Error: module not found: inversify that will prevent loading the preload script, while when disabling sandbox will be OK, but we would like to apply Electron recommendations for the security on our app.

• I can not attach Electron Fiddle project that doesn't support ts, Here is a quick app on GitHub to reproduce the issue

** Edit: Here is Electron Fiddle project with the same issue when using jszip library.

[VerteDinde]

Hey @oalfroukh, thanks for reporting this issue! This is happening because your preload script is trying to use node in the renderer process, which Electron no longer allows by default. It's not technically a bug; this is by design.

Like you mentioned above, you can get around this in the short-term by explicitly specifying sandbox: false for the relevant renderer processes. In the longer term, we'd recommend refactoring the renderer process to remove Node usage. You can read more about the breaking change here (link) and the reasoning behind why we're doing this here (link).

Since this isn't technically a bug, I'm going to close this issue, but if you'd like to discuss further, let me know and I can reopen it. Thanks!

[pranavwani]

Hey @oalfroukh, thanks for reporting this issue! This is happening because your preload script is trying to use node in the renderer process, which Electron no longer allows by default. It's not technically a bug; this is by design.

Like you mentioned above, you can get around this in the short-term by explicitly specifying sandbox: false for the relevant renderer processes. In the longer term, we'd recommend refactoring the renderer process to remove Node usage. You can read more about the breaking change here (link) and the reasoning behind why we're doing this here (link).

Since this isn't technically a bug, I'm going to close this issue, but if you'd like to discuss further, let me know and I can reopen it. Thanks!

Hi @VerteDinde

What if i disabled sandox, enable ContextIsolation to true and want to use require API to import relative module/script? Does it also cause issue in future as you suggested to refactor renderer process to remove Node.js usge.

main.js

const windowConfig = {
        width: winState.width,      
        height: winState.height,
        x: winState.x,
        y: winState.y, 
        show: false,
        webPreferences: {
            sandbox: false,
            contextIsolation: true,
            preload: path.join(__dirname, `preload.js`)
        }
    }

preload.js

const { contextBridge } = require('electron');
const module = require('./module')

contextBridge.exposeInMainWorld('api', {
     module
})