mirrors/electron
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages 1 Wiki Activity Actions 1

docs: update sandbox-option.md (#17468)

Browse source 
* docs: update sandbox-option.md

* Update docs/api/sandbox-option.md

Co-Authored-By: miniak <milan.burda@gmail.com>
This commit is contained in:
Milan Burda 2019-03-21 14:41:53 +01:00 committed by Alexey Kuzmin
parent b25279df89
commit 07b02653ba
2 changed files with 12 additions and 35 deletions
Download patch file Download diff file Expand all files Collapse all files

2
docs/api/app.md
View file

@ -1240,7 +1240,7 @@ Returns `String` - The command-line switch value.
**Note:** When the switch is not present or has no value, it returns empty string. **Note:** When the switch is not present or has no value, it returns empty string.
### `app.enableSandbox()` _Experimental_ _macOS_ _Windows_ ### `app.enableSandbox()` _Experimental_
Enables full sandbox mode on the app. Enables full sandbox mode on the app.

45
docs/api/sandbox-option.md
View file

@ -1,9 +1,7 @@
# `sandbox` Option # `sandbox` Option
> Create a browser window with a renderer that can run inside Chromium OS sandbox. With this > Create a browser window with a sandboxed renderer. With this
option enabled, the renderer must communicate via IPC to the main process in order to access node APIs. option enabled, the renderer must communicate via IPC to the main process in order to access node APIs.
However, in order to enable the Chromium OS sandbox, Electron must be run with the `--enable-sandbox`
command line argument.
One of the key security features of Chromium is that all blink rendering/JavaScript One of the key security features of Chromium is that all blink rendering/JavaScript
code is executed within a sandbox. This sandbox uses OS-specific features to ensure code is executed within a sandbox. This sandbox uses OS-specific features to ensure
@ -56,36 +54,18 @@ only via IPC. The use of this option stops Electron from creating a Node.js runt
within this new window `window.open` follows the native behaviour (by default Electron creates a [`BrowserWindow`](browser-window.md) within this new window `window.open` follows the native behaviour (by default Electron creates a [`BrowserWindow`](browser-window.md)
and returns a proxy to this via `window.open`). and returns a proxy to this via `window.open`).
It is important to note that this option alone won't enable the OS-enforced sandbox. To enable this feature, the [`app.enableSandbox`](app.md#appenablesandbox-experimental) can be used to force `sandbox: true` for all `BrowserWindow` instances.
`--enable-sandbox` command-line argument must be passed to electron, which will
force `sandbox: true` for all `BrowserWindow` instances.
```js ```js
let win let win
app.enableSandbox()
app.on('ready', () => { app.on('ready', () => {
// no need to pass `sandbox: true` since `--enable-sandbox` was enabled. // no need to pass `sandbox: true` since `app.enableSandbox()` was called.
win = new BrowserWindow() win = new BrowserWindow()
win.loadURL('http://google.com') win.loadURL('http://google.com')
}) })
``` ```
Note that it is not enough to call
`app.commandLine.appendSwitch('--enable-sandbox')`, as electron/node startup
code runs after it is possible to make changes to Chromium sandbox settings. The
switch must be passed to Electron on the command-line:
```sh
electron --enable-sandbox app.js
```
It is not possible to have the OS sandbox active only for some renderers, if
`--enable-sandbox` is enabled, normal Electron windows cannot be created.
If you need to mix sandboxed and non-sandboxed renderers in one application,
omit the `--enable-sandbox` argument. Without this argument, windows
created with `sandbox: true` will still have Node.js disabled and communicate
only via IPC, which by itself is already a gain from security POV.
## Preload ## Preload
An app can make customizations to sandboxed renderers using a preload script. An app can make customizations to sandboxed renderers using a preload script.
@ -110,8 +90,8 @@ and preload.js:
// This file is loaded whenever a javascript context is created. It runs in a // This file is loaded whenever a javascript context is created. It runs in a
// private scope that can access a subset of Electron renderer APIs. We must be // private scope that can access a subset of Electron renderer APIs. We must be
// careful to not leak any objects into the global scope! // careful to not leak any objects into the global scope!
const fs = require('fs') const { ipcRenderer, remote } = require('electron')
const { ipcRenderer } = require('electron') const fs = remote.require('fs')
// read a configuration file using the `fs` module // read a configuration file using the `fs` module
const buf = fs.readFileSync('allowed-popup-urls.json') const buf = fs.readFileSync('allowed-popup-urls.json')
@ -136,9 +116,7 @@ Important things to notice in the preload script:
access to a limited node-like environment: `Buffer`, `process`, `setImmediate` access to a limited node-like environment: `Buffer`, `process`, `setImmediate`
and `require` are available. and `require` are available.
- The preload script can indirectly access all APIs from the main process through the - The preload script can indirectly access all APIs from the main process through the
`remote` and `ipcRenderer` modules. This is how `fs` (used above) and other `remote` and `ipcRenderer` modules.
modules are implemented: They are proxies to remote counterparts in the main
process.
- The preload script must be contained in a single script, but it is possible to have - The preload script must be contained in a single script, but it is possible to have
complex preload code composed with multiple modules by using a tool like complex preload code composed with multiple modules by using a tool like
browserify, as explained below. In fact, browserify is already used by browserify, as explained below. In fact, browserify is already used by
@ -150,7 +128,6 @@ the following should be used:
```sh ```sh
browserify preload/index.js \ browserify preload/index.js \
-x electron \ -x electron \
-x fs \
--insert-global-vars=__filename,__dirname -o preload.js --insert-global-vars=__filename,__dirname -o preload.js
``` ```
@ -163,14 +140,14 @@ injects code for those).
Currently the `require` function provided in the preload scope exposes the Currently the `require` function provided in the preload scope exposes the
following modules: following modules:
- `child_process`
- `electron` - `electron`
- `crashReporter` - `crashReporter`
- `remote` - `desktopCapturer`
- `ipcRenderer` - `ipcRenderer`
- `nativeImage`
- `remote`
- `webFrame` - `webFrame`
- `fs` - `events`
- `os`
- `timers` - `timers`
- `url` - `url`