docs: update sandbox renderer defaults for Electron 20 (#35379)

* docs: update E20 sandbox rendering defaults

* docs: update tutorial

* simplify paragraph

* dont mention context isolation
This commit is contained in:
Erick Zhao 2022-09-08 13:21:50 -07:00 committed by GitHub
parent 4fb4167b8b
commit 34cb360730
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
2 changed files with 58 additions and 36 deletions

View file

@ -38,7 +38,25 @@ called a **preload**.
## Augmenting the renderer with a preload script
A BrowserWindow's preload script runs in a context that has access to both the HTML DOM
and a Node.js environment. Preload scripts are injected before a web page loads in the renderer,
and a limited subset of Node.js and Electron APIs.
:::info Preload script sandboxing
From Electron 20 onwards, preload scripts are **sandboxed** by default and no longer have access
to a full Node.js environment. Practically, this means that you have a polyfilled `require`
function that only has access to a limited set of APIs.
| Available API | Details |
| ------------------ | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| Electron modules | Renderer process modules |
| Node.js modules | [`events`](https://nodejs.org/api/events.html), [`timers`](https://nodejs.org/api/timers.html), [`url`](https://nodejs.org/api/url.html) |
| Polyfilled globals | [`Buffer`](https://nodejs.org/api/buffer.html), [`process`](../api/process.md), [`clearImmediate`](https://nodejs.org/api/timers.html#timers_clearimmediate_immediate), [`setImmediate`](https://nodejs.org/api/timers.html#timers_setimmediate_callback_args) |
For more information, check out the [Process Sandboxing](./sandbox.md) guide.
:::
Preload scripts are injected before a web page loads in the renderer,
similar to a Chrome extension's [content scripts][content-script]. To add features to your renderer
that require privileged access, you can define [global] objects through the
[contextBridge][contextbridge] API.