docs: explain ipcRenderer behavior in context-bridge.md (#43455)

* docs: explain ipcRenderer behavior in context-bridge.md

* Update context-bridge.md

* Update context-bridge.md

* Update docs/api/context-bridge.md

Co-authored-by: Erik Moura <erikian@erikian.dev>

* Update context-bridge.md

* Update context-bridge.md

* Update context-bridge.md

* Update docs/api/context-bridge.md

Co-authored-by: Erick Zhao <erick@hotmail.ca>

* Update docs/api/context-bridge.md

Co-authored-by: David Sanders <dsanders11@ucsbalum.com>

---------

Co-authored-by: Erik Moura <erikian@erikian.dev>
Co-authored-by: Erick Zhao <erick@hotmail.ca>
Co-authored-by: David Sanders <dsanders11@ucsbalum.com>
This commit is contained in:
Kilian Valkhof 2024-09-05 22:48:22 +02:00 committed by GitHub
parent 69df09dc90
commit 32d5f9e3ef
No known key found for this signature in database
GPG key ID: B5690EEEBB952194

View file

@ -147,6 +147,25 @@ has been included below for completeness:
If the type you care about is not in the above table, it is probably not supported.
### Exposing ipcRenderer
Attempting to send the entire `ipcRenderer` module as an object over the `contextBridge` will result in
an empty object on the receiving side of the bridge. Sending over `ipcRenderer` in full can let any
code send any message, which is a security footgun. To interact through `ipcRenderer`, provide a safe wrapper
like below:
```js
// Preload (Isolated World)
contextBridge.exposeInMainWorld('electron', {
onMyEventName: (callback) => ipcRenderer.on('MyEventName', (e, ...args) => callback(args))
})
```
```js @ts-nocheck
// Renderer (Main World)
window.electron.onMyEventName(data => { /* ... */ })
```
### Exposing Node Global Symbols
The `contextBridge` can be used by the preload script to give your renderer access to Node APIs.