-
Notifications
You must be signed in to change notification settings - Fork 15.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Discussion] Changing the defaults for nodeIntegration and contextIsolation to improve the default security posture of Electron applications #23506
Comments
This is marked as discussion, so I hope I'm allowed to post, if not, please limit to just collaborators. I feel this is a good change, but not many are prepared for. There are a lot of packages/templates that make use of remote and do not use IPC to talk between the processes. I've built a template that's supportive of this change, but I feel a lot will be discussing once this change is implemented. |
I'm not sure if this has been discussed anywhere (or if I'm not thinking through it correctly), but it does seem like there's a scenario in which:
The effect would be that node integration would be silently enabled in your app after the upgrade, which would potentially cause severe security issues. (I suppose that wouldn't matter if As a solution for this, would it be possible to check if |
That's a reasonable point, I don't think many people would explicitly say contextIsolation: false but we should probably handle that in some way @nornagon |
I can imagine throwing on |
@MarshallOfSound From some previous discussion with you, you mentioned that The docs currently make it seems like this is only useful when there's a preload script, or you're loading a URL. Should they be updated to indicate that it should be on everywhere (even though that will be the default behavior anyway) |
Does this mean Native modules will not work anymore in electron? I just added |
No.
See #18397 |
This doesn't help. |
Sounds like a great change to me. I'm always for security-by-default and always wondered why Anyway, what about Same with |
…integration flag with context isolation as recommended in electron/electron#23506
As I am providing a few small apps that works with nodeintegration set to true for realm db, react js, babel and webpack, |
I think that the docs on security could use a little bit of updating, or maybe it's my knowledge that needs updating. @MarshallOfSound thanks so much for all your explanations in this thread; I'd be very grateful if you could correct any misunderstandings I have here or confirm that the docs could use some changes. https://www.electronjs.org/docs/latest/tutorial/security
On a related note, if everything Node related should be handled in the |
@slapbox The "for remote content" bit was removed in this commit actually, but maybe there's some other document that needs to be updated? Or it hasn't been "released" yet? |
Hi, Anyone has an idea to avoid these issues because there are hundreds of services on our app which are declared on our website side and Irreplaceable for the desktop app side? |
It can, in an indirect way - but it's quite tedious - too much so for me to outline here - but basically you need to pass any data you need from the |
… to contextIsolation:true (PR nativefier#1308) Copy-pastaing details from [Electron 12 breaking changes](https://www.electronjs.org/docs/latest/breaking-changes#planned-breaking-api-changes-120): > ### Default Changed: `contextIsolation` defaults to `true`[](https://www.electronjs.org/docs/latest/breaking-changes#default-changed-contextisolation-defaults-to-true "Direct link to heading") > > In Electron 12, `contextIsolation` will be enabled by default. To restore the previous behavior, `contextIsolation: false` must be specified in WebPreferences. > > We [recommend having contextIsolation enabled](https://www.electronjs.org/docs/latest/tutorial/security#3-enable-context-isolation-for-remote-content) for the security of your application. > > Another implication is that `require()` cannot be used in the renderer process unless `nodeIntegration` is `true` and `contextIsolation` is `false`. > > For more details see: [https://github.com/electron/electron/issues/23506](https://github.com/electron/electron/issues/23506) I find the security drop acceptable, as reverting the new Electron 12 isolation brings us to the previous level of security, and I don't have the time/will to keep the isolation and migrate to the newer better safer thing that Electron >= 12 wants. Co-authored-by: Radomír Polách <rp@t4d.cz>
…integration flag with context isolation as recommended in electron/electron#23506
Planned Changes
Change the default of
contextIsolation
fromfalse
totrue
Without
contextIsolation
any code running in a renderer process can quite easily reach into Electron internals or your preload script and perform privileged actions that you don't want arbitrary websites to be doing.For more information on
contextIsolation
, how to enable it easily and it's security benefits please see our dedicated Context Isolation Document.We're making this change to improve the default security of Electron apps so that your app is only insecure if you have deliberately opted in to the insecure behaviour.
Timeline
contextIsolation
in Electron 10true
) in Electron 12Remove the
nodeIntegration
flag completelyHistorically we have recommended that apps use
nodeIntegration: false
to prevent renderers from having access to Electron internals or therequire
function. Over time it has become clear that this flag actually has negligible security impact and can easily be bypassed. This was the original motivation for adding thecontextIsolation
flag.We are now confident enough in the
contextIsolation
feature that we intend to remove the misleadingnodeIntegration
flag and instead strongly recommend usage ofcontextIsolation
.Timeline
contextIsolation: true
instead ofnodeIntegration: false
in Electron 10The text was updated successfully, but these errors were encountered: