在与应用程序打包在一起的本地页面上在Electron中启用nodeIntegration是否安全? [英] Would it be safe to enable nodeIntegration in Electron on a local page that is packaged with the app?

问题描述

在创建自定义窗口控件(如关闭，最小/最大)以及在关闭nodeIntegration的情况下还原时，我陷入了困境.我在渲染器的本地html文件中创建了按钮

main.js

  mainWindow = new BrowserWindow({x，y，宽度，高度，框架:假，显示:假，webPreferences:{devTools:true}});mainWindow.loadURL(url.format({协议:文件:"，斜线:是的，路径名:path.join(__ dirname，'assets'，'index.html')})); 

index.html

 < div id ='minimize'class ='noSelect'>&#xE921;</div>< div id ='maximize'class ='noSelect'>&#xE922;</div>< div id ='restore'class ='noSelect'>&#xE923;</div>< div id ='close'class ='noSelect'>&#xE8BB;</div>< script type ='text/javascript'src ='../assets/js/index.js'></script> 

默认情况下，nodeIntegration处于关闭状态，因此 index.js 无法访问Node.但是，我需要能够向按钮添加功能以关闭，最小/最大并恢复窗口.

index.js

  const {remote} = require('electron');const mainWindow = remote.getCurrentWindow();document.getElementById('close').addEventListener('click'，()=> {mainWindow.close();}); 

由于nodeIntegration被禁用，因此无法使用.在本地页面中启用它是否安全?如果没有，那么安全的方法是什么?

解决方案

TL; DR::仅当您从不受信任的来源加载并执行代码时，启用 nodeIntegration 会带来风险，即互联网或用户输入.

如果您完全确定您的应用程序将只运行您创建的代码(并且没有NodeJS模块从Internet加载脚本)，那么基本上，启用 nodeIntegration 的风险很小

但是，如果您允许用户运行代码(即输入然后 eval )，或者您提供的插件API无法控制所加载的插件，由于NodeJS允许任何NodeJS脚本(例如)操纵文件系统，因此风险级别上升.

另一方面，如果禁用 nodeIntegration ，则无法与主进程进行通信或操作 BrowserWindow ，因此无法创建自定义窗口控件./p>

I am stuck when creating custom window controls like close, min/max and restore with nodeIntegration turned off. I created the buttons in my renderer's local html file

main.js

mainWindow = new BrowserWindow({
    x, y, width, height,
    frame: false,
    show: false,
    webPreferences: { devTools: true }
});

mainWindow.loadURL(url.format({
    protocol: 'file:',
    slashes: true,
    pathname: path.join(__dirname, 'assets', 'index.html')
}));

index.html

<div id='minimize' class='noSelect'>&#xE921;</div>
<div id='maximize' class='noSelect'>&#xE922;</div>
<div id='restore' class='noSelect'>&#xE923;</div>
<div id='close' class='noSelect'>&#xE8BB;</div>

<script type='text/javascript' src='../assets/js/index.js'></script>

By default, nodeIntegration is off so index.js has no access to Node. However, I need to be able to add functionality to the buttons to close, min/max and restore the window.

index.js

const { remote } = require('electron');
const mainWindow = remote.getCurrentWindow();

document.getElementById('close').addEventListener('click', () => {
  mainWindow.close();
});

This wouldn't work because of nodeIntegration being disabled. Is it safe to have it enabled in a local page? If not, what is a safe way of doing this?

解决方案

TL;DR: Enabling nodeIntegration only imposes risks if you load and execute code from untrusted sources, i.e. the internet or from user input.

If you are completely sure that your application will only run the code you have created (and no NodeJS module loads scripts from the internet), basically, there is no to very little risk if enabling nodeIntegration.

However, if you allow the user to run code (i.e. input and then eval it) or you provide plug-in APIs from which you do not have any control over the plug-ins loaded, the risk level rises because NodeJS allows any NodeJS script, ex., to manipulate the filesystem.

On the other hand, if you disable nodeIntegration, you have no way of communicating with the main process or manipulating the BrowserWindow, thus cannot create custom window controls.

这篇关于在与应用程序打包在一起的本地页面上在Electron中启用nodeIntegration是否安全?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！