Question

153

Would it be safe to enable nodeIntegration in Electron on a local page that is packaged with the app?

rated 0 times [ 157] [ 4] / answers: 1 / hits: 21689 / 5 Years ago, thu, august 15, 2019, 12:00:00

I am stuck when creating custom window controls like close, min/max and restore with nodeIntegration turned off. I created the buttons in my renderer's local html file

main.js

mainWindow = new BrowserWindow({

    x, y, width, height,

    frame: false,

    show: false,

    webPreferences: { devTools: true }

});



mainWindow.loadURL(url.format({

    protocol: 'file:',

    slashes: true,

    pathname: path.join(__dirname, 'assets', 'index.html')

}));

index.html

<div id='minimize' class='noSelect'>&#xE921;</div>

<div id='maximize' class='noSelect'>&#xE922;</div>

<div id='restore' class='noSelect'>&#xE923;</div>

<div id='close' class='noSelect'>&#xE8BB;</div>



<script type='text/javascript' src='../assets/js/index.js'></script>

By default, nodeIntegration is off so index.js has no access to Node. However, I need to be able to add functionality to the buttons to close, min/max and restore the window.

index.js

const { remote } = require('electron');

const mainWindow = remote.getCurrentWindow();



document.getElementById('close').addEventListener('click', () => {

  mainWindow.close();

});

This wouldn't work because of nodeIntegration being disabled. Is it safe to have it enabled in a local page? If not, what is a safe way of doing this?

Answers

Only authorized users can answer the question. Please sign in first, or register a free account.

alanisannettep

Add To Favorites

Follow

Total Points: 695

Total Questions: 96

Total Answers: 91

Location: Australia

Member since Sat, May 27, 2023

1 Year ago

answered 5 Years ago patriciakiarrac · Accepted Answer

TL;DR: Enabling nodeIntegration only imposes risks if you load and execute code from untrusted sources, i.e. the internet or from user input.

If you are completely sure that your application will only run the code you have created (and no NodeJS module loads scripts from the internet), basically, there is no to very little risk if enabling nodeIntegration.

However, if you allow the user to run code (i.e. input and then eval it) or you provide plug-in APIs from which you do not have any control over the plug-ins loaded, the risk level rises because NodeJS allows any NodeJS script, ex., to manipulate the filesystem.

On the other hand, if you disable nodeIntegration, you have no way of communicating with the main process or manipulating the BrowserWindow, thus cannot create custom window controls. However, you can use a "preload" script file to build a bridge between the completely isolated renderer and the NodeJS world.

This is done by creating a script file which is then passed to the BrowserWindow as the preload: configuration option upon creation. Electron's documentation has some examples to get you started. Also, it's a good idea to familiarise yourself with Eelectron's security recommendations.