From 32d5f9e3efb94c6ff85c2a2bc8c7c822026de21b Mon Sep 17 00:00:00 2001 From: Kilian Valkhof Date: Thu, 5 Sep 2024 22:48:22 +0200 Subject: [PATCH] docs: explain ipcRenderer behavior in context-bridge.md (#43455) * docs: explain ipcRenderer behavior in context-bridge.md * Update context-bridge.md * Update context-bridge.md * Update docs/api/context-bridge.md Co-authored-by: Erik Moura * Update context-bridge.md * Update context-bridge.md * Update context-bridge.md * Update docs/api/context-bridge.md Co-authored-by: Erick Zhao * Update docs/api/context-bridge.md Co-authored-by: David Sanders --------- Co-authored-by: Erik Moura Co-authored-by: Erick Zhao Co-authored-by: David Sanders --- docs/api/context-bridge.md | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/docs/api/context-bridge.md b/docs/api/context-bridge.md index b9eb55f8a990..59d8a0d36311 100644 --- a/docs/api/context-bridge.md +++ b/docs/api/context-bridge.md @@ -147,6 +147,25 @@ has been included below for completeness: If the type you care about is not in the above table, it is probably not supported. +### Exposing ipcRenderer + +Attempting to send the entire `ipcRenderer` module as an object over the `contextBridge` will result in +an empty object on the receiving side of the bridge. Sending over `ipcRenderer` in full can let any +code send any message, which is a security footgun. To interact through `ipcRenderer`, provide a safe wrapper +like below: + +```js +// Preload (Isolated World) +contextBridge.exposeInMainWorld('electron', { + onMyEventName: (callback) => ipcRenderer.on('MyEventName', (e, ...args) => callback(args)) +}) +``` + +```js @ts-nocheck +// Renderer (Main World) +window.electron.onMyEventName(data => { /* ... */ }) +``` + ### Exposing Node Global Symbols The `contextBridge` can be used by the preload script to give your renderer access to Node APIs.