docs: update sandbox renderer defaults for Electron 20 (#35379)

* docs: update E20 sandbox rendering defaults * docs: update tutorial * simplify paragraph * dont mention context isolation
2022-09-08 13:21:50 -07:00 · 2022-09-08 13:21:50 -07:00 · 34cb360730
commit 34cb360730
parent 4fb4167b8b
2 changed files with 58 additions and 36 deletions
--- a/docs/tutorial/tutorial-3-preload.md
+++ b/docs/tutorial/tutorial-3-preload.md
@ -38,7 +38,25 @@ called a **preload**.
 ## Augmenting the renderer with a preload script

 A BrowserWindow's preload script runs in a context that has access to both the HTML DOM
-and a Node.js environment. Preload scripts are injected before a web page loads in the renderer,
+and a limited subset of Node.js and Electron APIs.
+
+:::info Preload script sandboxing
+
+From Electron 20 onwards, preload scripts are **sandboxed** by default and no longer have access
+to a full Node.js environment. Practically, this means that you have a polyfilled `require`
+function that only has access to a limited set of APIs.
+
+| Available API      | Details                                                                                                                                                                                                                                                        |
+| ------------------ | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| Electron modules   | Renderer process modules                                                                                                                                                                                                                                       |
+| Node.js modules    | [`events`](https://nodejs.org/api/events.html), [`timers`](https://nodejs.org/api/timers.html), [`url`](https://nodejs.org/api/url.html)                                                                                                                       |
+| Polyfilled globals | [`Buffer`](https://nodejs.org/api/buffer.html), [`process`](../api/process.md), [`clearImmediate`](https://nodejs.org/api/timers.html#timers_clearimmediate_immediate), [`setImmediate`](https://nodejs.org/api/timers.html#timers_setimmediate_callback_args) |
+
+For more information, check out the [Process Sandboxing](./sandbox.md) guide.
+
+:::
+
+Preload scripts are injected before a web page loads in the renderer,
 similar to a Chrome extension's [content scripts][content-script]. To add features to your renderer
 that require privileged access, you can define [global] objects through the
 [contextBridge][contextbridge] API.