From 74bb4bacd700b5b48226c8329971b409728c5f94 Mon Sep 17 00:00:00 2001 From: Kevin Sawicki Date: Thu, 8 Sep 2016 10:39:29 -0700 Subject: [PATCH] Add section about Buffer global --- docs/tutorial/security.md | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) diff --git a/docs/tutorial/security.md b/docs/tutorial/security.md index f16d8cf49bc9..876ed8baade3 100644 --- a/docs/tutorial/security.md +++ b/docs/tutorial/security.md @@ -36,6 +36,7 @@ things on top of Electron. Pull requests and contributions supporting this effort are always very welcome. ## Ignoring Above Advice + A security issue exists whenever you receive code from a remote destination and execute it locally. As an example, consider a remote website being displayed inside a browser window. If an attacker somehow manages to change said content @@ -49,6 +50,7 @@ your application) to execute Node code. To display remote content, use the `webview` tag and make sure to disable the `nodeIntegration`. #### Checklist + This is not bulletproof, but at the least, you should attempt the following: * Only display secure (https) content @@ -71,3 +73,22 @@ This is not bulletproof, but at the least, you should attempt the following: Again, this list merely minimizes the risk, it does not remove it. If your goal is to display a website, a browser will be a more secure option. + +## Buffer Global + +Node's [Buffer](https://nodejs.org/api/buffer.html) class is currently available +as a global even when `nodeIntegration` is set to `false`. You can delete +this in your app by doing the following in your `preload` script: + +```js +delete global.Buffer +``` + +Deleting it may break Node modules used in your preload script and app since +many libraries expect it to be a global instead of requiring it directly via: + +```js +const {Buffer} = require('buffer') +``` + +The `Buffer` global may be removed in future major versions of Electron.