From b31a4dcdf3120634b5db87a81ddcd25870fd74ab Mon Sep 17 00:00:00 2001
From: "trop[bot]" <37223003+trop[bot]@users.noreply.github.com>
Date: Thu, 5 Sep 2024 17:05:46 -0400
Subject: [PATCH] docs: explain ipcRenderer behavior in context-bridge.md
 (#43584)

* docs: explain ipcRenderer behavior in context-bridge.md

Co-authored-by: Kilian Valkhof <kilian@kilianvalkhof.com>

* Update context-bridge.md

Co-authored-by: Kilian Valkhof <kilian@kilianvalkhof.com>

* Update context-bridge.md

Co-authored-by: Kilian Valkhof <kilian@kilianvalkhof.com>

* Update docs/api/context-bridge.md

Co-authored-by: Erik Moura <erikian@erikian.dev>

Co-authored-by: Kilian Valkhof <kilian@kilianvalkhof.com>

* Update context-bridge.md

Co-authored-by: Kilian Valkhof <kilian@kilianvalkhof.com>

* Update context-bridge.md

Co-authored-by: Kilian Valkhof <kilian@kilianvalkhof.com>

* Update context-bridge.md

Co-authored-by: Kilian Valkhof <kilian@kilianvalkhof.com>

* Update docs/api/context-bridge.md

Co-authored-by: Erick Zhao <erick@hotmail.ca>

Co-authored-by: Kilian Valkhof <kilian@kilianvalkhof.com>

* Update docs/api/context-bridge.md

Co-authored-by: David Sanders <dsanders11@ucsbalum.com>

Co-authored-by: Kilian Valkhof <kilian@kilianvalkhof.com>

---------

Co-authored-by: trop[bot] <37223003+trop[bot]@users.noreply.github.com>
Co-authored-by: Kilian Valkhof <kilian@kilianvalkhof.com>
---
 docs/api/context-bridge.md | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)

diff --git a/docs/api/context-bridge.md b/docs/api/context-bridge.md
index b9eb55f8a990..59d8a0d36311 100644
--- a/docs/api/context-bridge.md
+++ b/docs/api/context-bridge.md
@@ -147,6 +147,25 @@ has been included below for completeness:
 
 If the type you care about is not in the above table, it is probably not supported.
 
+### Exposing ipcRenderer
+
+Attempting to send the entire `ipcRenderer` module as an object over the `contextBridge` will result in
+an empty object on the receiving side of the bridge. Sending over `ipcRenderer` in full can let any
+code send any message, which is a security footgun. To interact through `ipcRenderer`, provide a safe wrapper
+like below:
+
+```js
+// Preload (Isolated World)
+contextBridge.exposeInMainWorld('electron', {
+  onMyEventName: (callback) => ipcRenderer.on('MyEventName', (e, ...args) => callback(args))
+})
+```
+
+```js @ts-nocheck
+// Renderer (Main World)
+window.electron.onMyEventName(data => { /* ... */ })
+```
+
 ### Exposing Node Global Symbols
 
 The `contextBridge` can be used by the preload script to give your renderer access to Node APIs.