docs: Improved documentation (#13403)
This commit is contained in:
parent
2440d03595
commit
1fd6d38a0a
18 changed files with 79 additions and 79 deletions
|
@ -2,7 +2,7 @@
|
|||
|
||||
> Create a browser window with a renderer that can run inside Chromium OS sandbox. With this
|
||||
option enabled, the renderer must communicate via IPC to the main process in order to access node APIs.
|
||||
However, in order to enable the Chromium OS sandbox, electron must be run with the `--enable-sandbox`
|
||||
However, in order to enable the Chromium OS sandbox, Electron must be run with the `--enable-sandbox`
|
||||
command line argument.
|
||||
|
||||
One of the key security features of Chromium is that all blink rendering/JavaScript
|
||||
|
@ -14,26 +14,26 @@ to the system by delegating tasks to the main process via IPC.
|
|||
[Here's](https://www.chromium.org/developers/design-documents/sandbox) more
|
||||
information about the sandbox.
|
||||
|
||||
Since a major feature in electron is the ability to run node.js in the
|
||||
Since a major feature in Electron is the ability to run Node.js in the
|
||||
renderer process (making it easier to develop desktop applications using web
|
||||
technologies), the sandbox is disabled by electron. This is because
|
||||
most node.js APIs require system access. `require()` for example, is not
|
||||
most Node.js APIs require system access. `require()` for example, is not
|
||||
possible without file system permissions, which are not available in a sandboxed
|
||||
environment.
|
||||
|
||||
Usually this is not a problem for desktop applications since the code is always
|
||||
trusted, but it makes electron less secure than chromium for displaying
|
||||
trusted, but it makes Electron less secure than Chromium for displaying
|
||||
untrusted web content. For applications that require more security, the
|
||||
`sandbox` flag will force electron to spawn a classic chromium renderer that is
|
||||
`sandbox` flag will force Electron to spawn a classic Chromium renderer that is
|
||||
compatible with the sandbox.
|
||||
|
||||
A sandboxed renderer doesn't have a node.js environment running and doesn't
|
||||
expose node.js JavaScript APIs to client code. The only exception is the preload script,
|
||||
which has access to a subset of the electron renderer API.
|
||||
A sandboxed renderer doesn't have a Node.js environment running and doesn't
|
||||
expose Node.js JavaScript APIs to client code. The only exception is the preload script,
|
||||
which has access to a subset of the Electron renderer API.
|
||||
|
||||
Another difference is that sandboxed renderers don't modify any of the default
|
||||
JavaScript APIs. Consequently, some APIs such as `window.open` will work as they
|
||||
do in chromium (i.e. they do not return a [`BrowserWindowProxy`](browser-window-proxy.md)).
|
||||
do in Chromium (i.e. they do not return a [`BrowserWindowProxy`](browser-window-proxy.md)).
|
||||
|
||||
## Example
|
||||
|
||||
|
@ -51,9 +51,9 @@ app.on('ready', () => {
|
|||
})
|
||||
```
|
||||
|
||||
In the above code the [`BrowserWindow`](browser-window.md) that was created has node.js disabled and can communicate
|
||||
only via IPC. The use of this option stops electron from creating a node.js runtime in the renderer. Also,
|
||||
within this new window `window.open` follows the native behaviour (by default electron creates a [`BrowserWindow`](browser-window.md)
|
||||
In the above code the [`BrowserWindow`](browser-window.md) that was created has Node.js disabled and can communicate
|
||||
only via IPC. The use of this option stops Electron from creating a Node.js runtime in the renderer. Also,
|
||||
within this new window `window.open` follows the native behaviour (by default Electron creates a [`BrowserWindow`](browser-window.md)
|
||||
and returns a proxy to this via `window.open`).
|
||||
|
||||
It is important to note that this option alone won't enable the OS-enforced sandbox. To enable this feature, the
|
||||
|
@ -75,19 +75,19 @@ app.on('ready', () => {
|
|||
|
||||
Note that it is not enough to call
|
||||
`app.commandLine.appendSwitch('--enable-sandbox')`, as electron/node startup
|
||||
code runs after it is possible to make changes to chromium sandbox settings. The
|
||||
switch must be passed to electron on the command-line:
|
||||
code runs after it is possible to make changes to Chromium sandbox settings. The
|
||||
switch must be passed to Electron on the command-line:
|
||||
|
||||
```sh
|
||||
electron --enable-sandbox app.js
|
||||
```
|
||||
|
||||
It is not possible to have the OS sandbox active only for some renderers, if
|
||||
`--enable-sandbox` is enabled, normal electron windows cannot be created.
|
||||
`--enable-sandbox` is enabled, normal Electron windows cannot be created.
|
||||
|
||||
If you need to mix sandboxed and non-sandboxed renderers in one application,
|
||||
omit the `--enable-sandbox` argument. Without this argument, windows
|
||||
created with `sandbox: true` will still have node.js disabled and communicate
|
||||
created with `sandbox: true` will still have Node.js disabled and communicate
|
||||
only via IPC, which by itself is already a gain from security POV.
|
||||
|
||||
## Preload
|
||||
|
@ -112,7 +112,7 @@ and preload.js:
|
|||
|
||||
```js
|
||||
// This file is loaded whenever a javascript context is created. It runs in a
|
||||
// private scope that can access a subset of electron renderer APIs. We must be
|
||||
// private scope that can access a subset of Electron renderer APIs. We must be
|
||||
// careful to not leak any objects into the global scope!
|
||||
const fs = require('fs')
|
||||
const {ipcRenderer} = require('electron')
|
||||
|
@ -136,7 +136,7 @@ window.open = customWindowOpen
|
|||
|
||||
Important things to notice in the preload script:
|
||||
|
||||
- Even though the sandboxed renderer doesn't have node.js running, it still has
|
||||
- Even though the sandboxed renderer doesn't have Node.js running, it still has
|
||||
access to a limited node-like environment: `Buffer`, `process`, `setImmediate`
|
||||
and `require` are available.
|
||||
- The preload script can indirectly access all APIs from the main process through the
|
||||
|
@ -146,7 +146,7 @@ Important things to notice in the preload script:
|
|||
- The preload script must be contained in a single script, but it is possible to have
|
||||
complex preload code composed with multiple modules by using a tool like
|
||||
browserify, as explained below. In fact, browserify is already used by
|
||||
electron to provide a node-like environment to the preload script.
|
||||
Electron to provide a node-like environment to the preload script.
|
||||
|
||||
To create a browserify bundle and use it as a preload script, something like
|
||||
the following should be used:
|
||||
|
@ -178,7 +178,7 @@ following modules:
|
|||
- `timers`
|
||||
- `url`
|
||||
|
||||
More may be added as needed to expose more electron APIs in the sandbox, but any
|
||||
More may be added as needed to expose more Electron APIs in the sandbox, but any
|
||||
module in the main process can already be used through
|
||||
`electron.remote.require`.
|
||||
|
||||
|
@ -186,7 +186,7 @@ module in the main process can already be used through
|
|||
|
||||
Please use the `sandbox` option with care, as it is still an experimental
|
||||
feature. We are still not aware of the security implications of exposing some
|
||||
electron renderer APIs to the preload script, but here are some things to
|
||||
Electron renderer APIs to the preload script, but here are some things to
|
||||
consider before rendering untrusted content:
|
||||
|
||||
- A preload script can accidentally leak privileged APIs to untrusted code.
|
||||
|
@ -194,9 +194,9 @@ consider before rendering untrusted content:
|
|||
APIs, effectively granting full access to the system through the `remote`
|
||||
module.
|
||||
|
||||
Since rendering untrusted content in electron is still uncharted territory,
|
||||
Since rendering untrusted content in Electron is still uncharted territory,
|
||||
the APIs exposed to the sandbox preload script should be considered more
|
||||
unstable than the rest of electron APIs, and may have breaking changes to fix
|
||||
unstable than the rest of Electron APIs, and may have breaking changes to fix
|
||||
security issues.
|
||||
|
||||
One planned enhancement that should greatly increase security is to block IPC
|
||||
|
|
Loading…
Add table
Add a link
Reference in a new issue