New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: security: add an option to disable the remote module #13028
Conversation
3dcd059
to
8271aec
Compare
Other potentially dangerous IPC messages are |
8271aec
to
f432bc1
Compare
This is a good initiative, but if the end goal is to make it possible to securely run untrusted code in a sandboxed renderer, we need something more radical than simply disabling the remote module. What I have considered for some time was the implementation of a In addition, the preload script of Keep in mind that this is just an idea which I had some time to think about, and introducing new APIs that say Electron apps can run untrusted code requires a lot more careful planning, as we may be pushing a false idea of security which can have bad consequences for users. What I mean is that a lot of people will see this option and immediately assume it is safe to load any web page into Electron (without trying to understand how it works), which is simply not true. |
f432bc1
to
057bc01
Compare
@tarruda are you coming to the Electron summit in Prague? It should be one of the topics to be discussed IMHO. |
Just booked my flight/airbnb |
057bc01
to
a3612c6
Compare
2753cbd
to
502e5ed
Compare
@miniak What is the status of this? |
@MarshallOfSound it still needs some love. Seems like remote is also used internally for some logic or something. I need to check how to handle that. |
@miniak This one has conflicts as well |
e348511
to
18fa3e1
Compare
@MarshallOfSound conflicts resolved + fixed internal usages of remote (either fails gracefully or re-implemented not to use remote) |
fa31074
to
38d6579
Compare
5987fdf
to
4ddb99b
Compare
4ddb99b
to
2a7bf78
Compare
2a7bf78
to
1252a95
Compare
@MarshallOfSound can you please unblock? all comments should be resolved now. |
@MarshallOfSound can you please also merge? I cannot do that myself :( |
Release Notes Persisted
|
I'm going to create a backport PR to the |
/trop run backport |
The backport process for this PR has been manually initiated, here we go! :D |
We have automatically backported this PR to "4-0-x", please check out #15222 |
Description of Change
The
webPreferences.sandbox
option is not sufficient to prevent fully exploitation if the remote module still allows access tofs
and other modules via the main process. This proposal adds a new optionwebPreferences.enableRemoteModule
, which blocks access to the remote module on the main process side.electron.remote
, which allows code to check whether the app can useremote
beforehandrpc-server.js
ignores all IPC messages implementing theremote
moduleChecklist
npm test
passesRelease Notes
Notes: Added
webPreferences.enableRemoteModule
option allowing to disable the remote module to increase sandbox security.