Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

docs: update nodeIntegration section for new defaults #17715

Merged
merged 3 commits into from Apr 29, 2019
Merged

docs: update nodeIntegration section for new defaults #17715

Show file tree
Hide file tree
Changes from 2 commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
5aff9ba
docs: update nodeIntegration section for new defaults
miniak Mar 10, 2019
22c3fc2
docs: update docs/tutorial/first-app.md
miniak Apr 22, 2019
6afa096
Update docs/tutorial/security.md
malept Apr 27, 2019
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
16 changes: 14 additions & 2 deletions docs/tutorial/first-app.md
View file
Open in desktop
Expand Up @@ -109,7 +109,13 @@ const { app, BrowserWindow } = require('electron')

function createWindow () {
// Create the browser window.
let win = new BrowserWindow({ width: 800, height: 600 })
let win = new BrowserWindow({
width: 800,
height: 600,
webPreferences: {
nodeIntegration: true
}
})

// and load the index.html of the app.
win.loadFile('index.html')
Expand All @@ -132,7 +138,13 @@ let win

function createWindow () {
// Create the browser window.
win = new BrowserWindow({ width: 800, height: 600 })
let win = new BrowserWindow({
width: 800,
height: 600,
webPreferences: {
nodeIntegration: true
}
})

// and load the index.html of the app.
win.loadFile('index.html')
Expand Down
18 changes: 12 additions & 6 deletions docs/tutorial/security.md
View file
Open in desktop
Expand Up @@ -96,7 +96,7 @@ either `process.env` or the `window` object.
You should at least follow these steps to improve the security of your application:

1. [Only load secure content](#1-only-load-secure-content)
2. [Disable the Node.js integration in all renderers that display remote content](#2-disable-nodejs-integration-for-remote-content)
2. [Disable the Node.js integration in all renderers that display remote content](#2-do-not-enable-nodejs-integration-for-remote-content)
3. [Enable context isolation in all renderers that display remote content](#3-enable-context-isolation-for-remote-content)
4. [Use `ses.setPermissionRequestHandler()` in all sessions that load remote content](#4-handle-session-permission-requests-from-remote-content)
5. [Do not disable `webSecurity`](#5-do-not-disable-websecurity)
Expand Down Expand Up @@ -159,9 +159,11 @@ browserWindow.loadURL('https://example.com')
```


## 2) Disable Node.js Integration for Remote Content
## 2) Do not enable Node.js Integration for Remote Content

It is paramount that you disable Node.js integration in any renderer
_Recommendation is Electron's default_
miniak marked this conversation as resolved.
Show resolved Hide resolved

It is paramount that you do not enable Node.js integration in any renderer
([`BrowserWindow`][browser-window], [`BrowserView`][browser-view], or
[`<webview>`][webview-tag]) that loads remote content. The goal is to limit the
powers you grant to remote content, thus making it dramatically more difficult
Expand All @@ -185,16 +187,20 @@ so-called "Remote Code Execution" (RCE) attack.

```js
// Bad
const mainWindow = new BrowserWindow()
const mainWindow = new BrowserWindow({
webPreferences: {
nodeIntegration: true,
nodeIntegrationInWorker: true
}
})

mainWindow.loadURL('https://example.com')
```

```js
// Good
const mainWindow = new BrowserWindow({
webPreferences: {
nodeIntegration: false,
nodeIntegrationInWorker: false,
preload: path.join(app.getAppPath(), 'preload.js')
}
})
Expand Down