diff --git a/docs/tutorial/first-app.md b/docs/tutorial/first-app.md index 9dd795b308412..ab05c3cc79bf0 100644 --- a/docs/tutorial/first-app.md +++ b/docs/tutorial/first-app.md @@ -109,7 +109,13 @@ const { app, BrowserWindow } = require('electron') function createWindow () { // Create the browser window. - let win = new BrowserWindow({ width: 800, height: 600 }) + let win = new BrowserWindow({ + width: 800, + height: 600, + webPreferences: { + nodeIntegration: true + } + }) // and load the index.html of the app. win.loadFile('index.html') @@ -132,7 +138,13 @@ let win function createWindow () { // Create the browser window. - win = new BrowserWindow({ width: 800, height: 600 }) + let win = new BrowserWindow({ + width: 800, + height: 600, + webPreferences: { + nodeIntegration: true + } + }) // and load the index.html of the app. win.loadFile('index.html') diff --git a/docs/tutorial/security.md b/docs/tutorial/security.md index e71fbdd139da1..d97d89182840f 100644 --- a/docs/tutorial/security.md +++ b/docs/tutorial/security.md @@ -96,7 +96,7 @@ either `process.env` or the `window` object. You should at least follow these steps to improve the security of your application: 1. [Only load secure content](#1-only-load-secure-content) -2. [Disable the Node.js integration in all renderers that display remote content](#2-disable-nodejs-integration-for-remote-content) +2. [Disable the Node.js integration in all renderers that display remote content](#2-do-not-enable-nodejs-integration-for-remote-content) 3. [Enable context isolation in all renderers that display remote content](#3-enable-context-isolation-for-remote-content) 4. [Use `ses.setPermissionRequestHandler()` in all sessions that load remote content](#4-handle-session-permission-requests-from-remote-content) 5. [Do not disable `webSecurity`](#5-do-not-disable-websecurity) @@ -159,9 +159,11 @@ browserWindow.loadURL('https://example.com') ``` -## 2) Disable Node.js Integration for Remote Content +## 2) Do not enable Node.js Integration for Remote Content -It is paramount that you disable Node.js integration in any renderer +_This recommendation is the default behavior in Electron since 5.0.0._ + +It is paramount that you do not enable Node.js integration in any renderer ([`BrowserWindow`][browser-window], [`BrowserView`][browser-view], or [``][webview-tag]) that loads remote content. The goal is to limit the powers you grant to remote content, thus making it dramatically more difficult @@ -185,7 +187,13 @@ so-called "Remote Code Execution" (RCE) attack. ```js // Bad -const mainWindow = new BrowserWindow() +const mainWindow = new BrowserWindow({ + webPreferences: { + nodeIntegration: true, + nodeIntegrationInWorker: true + } +}) + mainWindow.loadURL('https://example.com') ``` @@ -193,8 +201,6 @@ mainWindow.loadURL('https://example.com') // Good const mainWindow = new BrowserWindow({ webPreferences: { - nodeIntegration: false, - nodeIntegrationInWorker: false, preload: path.join(app.getAppPath(), 'preload.js') } })