CONTEXT_ISOLATION_JS_CHECK

CONTEXT_ISOLATION_JS_CHECK - Review the use of the contextIsolation option

The contextIsolation feature introduces JavaScript context isolation for preload scripts, as implemented in Chrome content scripts. Using this important option, it is possible to obtain different JS contexts between renderers and :

• preload scripts
• Electron’s framework code


The preload script will still have access to global variables, but it will use its own set of JavaScript built-ins(Array, Object, JSON, etc.) and will be isolated from any changes made to the global environment by the loaded page.

The contextIsolation feature is required for isolation even if you disabled nodeIntegration. As of today, if the contextIsolation feature is not enabled then malicious JS code execution of Node's APIs will be allowed.

---

Risk

If contextIsolation is not used, malicious JS code can tamper with JavaScript native functions as well as preload script code via prototype pollution.

Auditing

Ensure that contextIsolation is always set with contextIsolation: true.

Starting from Electron v12, the flag is enabled by default.

References

• https://electronjs.org/docs/all#3-enable-context-isolation-for-remote-content
• https://speakerdeck.com/masatokinugawa/electron-abusing-the-lack-of-context-isolation-curecon-en
• https://www.electronjs.org/docs/tutorial/context-isolation#how-do-i-enable-it