feat: only allow bundled preload scripts (#17308)
This commit is contained in:
parent
3d307e5610
commit
8cf15cc931
11 changed files with 79 additions and 3 deletions
|
@ -81,6 +81,10 @@ powerMonitor.querySystemIdleTime(callback)
|
|||
const idleTime = getSystemIdleTime()
|
||||
```
|
||||
|
||||
## Preload scripts outside of app path are not allowed
|
||||
|
||||
For security reasons, preload scripts can only be loaded from a subpath of the [app path](app.md#appgetapppath).
|
||||
|
||||
# Planned Breaking API Changes (5.0)
|
||||
|
||||
## `new BrowserWindow({ webPreferences })`
|
||||
|
|
|
@ -266,6 +266,8 @@ It creates a new `BrowserWindow` with native properties as set by the `options`.
|
|||
When node integration is turned off, the preload script can reintroduce
|
||||
Node global symbols back to the global scope. See example
|
||||
[here](process.md#event-loaded).
|
||||
**Note:** For security reasons, preload scripts can only be loaded from
|
||||
a subpath of the [app path](app.md#appgetapppath).
|
||||
* `sandbox` Boolean (optional) - If set, this will sandbox the renderer
|
||||
associated with the window, making it compatible with the Chromium
|
||||
OS-level sandbox and disabling the Node.js engine. This is not the same as
|
||||
|
|
|
@ -77,7 +77,7 @@ app.on('ready', () => {
|
|||
win = new BrowserWindow({
|
||||
webPreferences: {
|
||||
sandbox: true,
|
||||
preload: 'preload.js'
|
||||
preload: path.join(app.getAppPath(), 'preload.js')
|
||||
}
|
||||
})
|
||||
win.loadURL('http://google.com')
|
||||
|
|
|
@ -561,6 +561,8 @@ Returns `Promise<void>` - resolves when the session’s HTTP authentication cach
|
|||
Adds scripts that will be executed on ALL web contents that are associated with
|
||||
this session just before normal `preload` scripts run.
|
||||
|
||||
**Note:** For security reasons, preload scripts can only be loaded from a subpath of the [app path](app.md#appgetapppath).
|
||||
|
||||
#### `ses.getPreloads()`
|
||||
|
||||
Returns `String[]` an array of paths to preload scripts that have been
|
||||
|
|
|
@ -162,6 +162,9 @@ When the guest page doesn't have node integration this script will still have
|
|||
access to all Node APIs, but global objects injected by Node will be deleted
|
||||
after this script has finished executing.
|
||||
|
||||
**Note:** For security reasons, preload scripts can only be loaded from
|
||||
a subpath of the [app path](app.md#appgetapppath).
|
||||
|
||||
**Note:** This option will be appear as `preloadURL` (not `preload`) in
|
||||
the `webPreferences` specified to the `will-attach-webview` event.
|
||||
|
||||
|
|
|
@ -193,7 +193,7 @@ const mainWindow = new BrowserWindow({
|
|||
webPreferences: {
|
||||
nodeIntegration: false,
|
||||
nodeIntegrationInWorker: false,
|
||||
preload: './preload.js'
|
||||
preload: path.join(app.getAppPath(), 'preload.js')
|
||||
}
|
||||
})
|
||||
|
||||
|
@ -260,7 +260,7 @@ very small investment.
|
|||
const mainWindow = new BrowserWindow({
|
||||
webPreferences: {
|
||||
contextIsolation: true,
|
||||
preload: 'preload.js'
|
||||
preload: path.join(app.getAppPath(), 'preload.js')
|
||||
}
|
||||
})
|
||||
```
|
||||
|
|
Loading…
Add table
Add a link
Reference in a new issue