5/1/2023 0 Comments Electron api document![]() If sandbox is false, your preload script can access Node API directly, as in require('fs').readFile. Your preload script will have to use IPC to call the Main process to do everything. Win.loadFile(path.join(_dirname, "dist/index.html")) įs.readFile("path/to/file", (error, data) =>. Preload: path.join(_dirname, "preload.js") // use a preload script NodeIntegration: false, // is default value after Electron v5ĬontextIsolation: true, // protect against prototype pollutionĮnableRemoteModule: false, // turn off remote be closed automatically when the JavaScript object is garbage collected. Keep a global reference of the window object, if you don't, the window will We use the contextBridge to pass the ipcRenderer bindings to our app code (to use), and so when our app needs to use the required modules in main, it sends a message via IPC (inter-process-communication) and the main process runs some code, and we then send a message back with our result. This is fine and well because our main process can require all it wants. In the ipcMain bindings we set up listener methods that use modules we require(). The way this works in the latest versions (7+) of Electron is on the renderer side we set up ipcRenderer bindings, and on the main side we set up ipcMain bindings. require()), but to give our electron main process access to require, and anytime our renderer process needs to use require, marshal a request to the main process. The solution is to not give the renderer direct access to node (ie. If your renderer process is ever hijacked, you can consider all is lost. ![]() ![]() This problem manifests when you (any one of the below):Īll of these problems give uninterrupted access to node from your renderer process. I still would, however, opt to keep nodeIntegration:false to act as a safeguard for accidental/malicious users using your app, and prevent any possible malware that might ever get installed on your machine from interacting with your electron app and using the nodeIntegration:true attack vector (incredibly rare, but could happen)! What does the problem look like If your electron app is entirely offline/ local, then you are probably okay simply turning on nodeIntegration:true. If we are not careful, we give someone access to node through our app, and with node a bad actor can corrupt your machine or delete your operating system files (among other things, I imagine).Īs brought up by in a comment, this is necessary when loading remote content. The problemĮlectron apps are great because we get to use node, but this power is a double-edged sword. I wrote a detailed explanation/solution in github using the most current electron apis of how you can require() something, but I'll explain briefly here why you should follow an approach using a preload script, contextBridge and ipc. (There is just a new electron API that makes it a little bit cleaner in v7). In fact this answer is essentially what you should be doing to use require() in your electron apps. I hope this answer gets some attention, because a large majority of answers here leave large security holes in your electron app. ![]() Let contextMenuBuilder = new ContextMenuBuilder(window.I've published a larger post on the history of Electron and it's security that provides additional context on the changes that affect how security was approached in different framework versions (and what's the best approach to take). Start off as US English, America #1 (lol) Window.spellCheckHandler = new SpellCheckHandler() Quick Start import from 'electron-spellchecker' Automatically downloads and manages dictionaries in the background.users who are from Australia should not be corrected for 'colour', but US English speakers should) Handles locale correctly and automatically (i.e.Automatically detects the language the user is typing in and silently switches on the fly.Spell checks in all of the languages that Google Chrome supports by reusing its dictionaries.This library intends to solve the problem of spellchecking in a production-ready, international-friendly way. Electron-spellchecker is a library to help you implement spellchecking in your Electron applications, as well as handle default right-click Context Menus (since spell checking shows up in them).
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |