📝 Context Isolation
This commit is contained in:
Felix Rieseberg
parent
4cb22dd2ff
commit
c4dc8dacbf
1 changed files with 55 additions and 0 deletions
|
|
@ -174,8 +174,63 @@ window.readConfig = function () {
|
||||||
}
|
}
|
||||||
```
|
```
|
||||||
|
|
||||||
|
|
||||||
## Enable Context Isolation for Remote Content
|
## Enable Context Isolation for Remote Content
|
||||||
|
|
||||||
|
Context isolation is an Electron feature that allows developers to run code
|
||||||
|
in preload scripts and in Electron APIs in a dedicated JavaScript context. In
|
||||||
|
practice, that means that global objects like `Array.prototype.push` or
|
||||||
|
`JSON.parse` cannot be modified by scripts running in the renderer process.
|
||||||
|
|
||||||
|
Electron uses the same technology as Chromium's [Content Scripts](https://developer.chrome.com/extensions/content_scripts#execution-environment)
|
||||||
|
to enable this behavior.
|
||||||
|
|
||||||
|
### Why?
|
||||||
|
|
||||||
|
Context isolation allows each the scripts on running in the renderer to make
|
||||||
|
changes to its JavaScript environment without worrying about conflicting with
|
||||||
|
the scripts in the Electron API or the preload script.
|
||||||
|
|
||||||
|
While still an experimental Electron feature, context isolation also adds an
|
||||||
|
additional layer of security by completely separating any Electron APIs and
|
||||||
|
preload scripts from access by the scripts running in the renderer. At the
|
||||||
|
same time, preload scripts continue to have access to the `document` and
|
||||||
|
`window` object, meaning that you are very likely not reduced in your ability
|
||||||
|
to use preload scripts. In other words, you're getting a decent return on a
|
||||||
|
likely very small investment.
|
||||||
|
|
||||||
|
### How?
|
||||||
|
|
||||||
|
```js
|
||||||
|
// Main process
|
||||||
|
const mainWindow = new BrowserWindow({
|
||||||
|
webPreferences: {
|
||||||
|
contextIsolation: true,
|
||||||
|
preload: 'preload.js'
|
||||||
|
}
|
||||||
|
})
|
||||||
|
```
|
||||||
|
|
||||||
|
```js
|
||||||
|
// Preload script
|
||||||
|
|
||||||
|
// Set a variable in the page before it loads
|
||||||
|
webFrame.executeJavaScript('window.foo = "foo";')
|
||||||
|
|
||||||
|
// The loaded page will not be able to access this, it is only available
|
||||||
|
// in this context
|
||||||
|
window.bar = 'bar'
|
||||||
|
|
||||||
|
document.addEventListener('DOMContentLoaded', () => {
|
||||||
|
// Will log out 'undefined' since window.foo is only available in the main
|
||||||
|
// context
|
||||||
|
console.log(window.foo)
|
||||||
|
|
||||||
|
// Will log out 'bar' since window.bar is available in this context
|
||||||
|
console.log(window.bar)
|
||||||
|
})
|
||||||
|
```
|
||||||
|
|
||||||
## Handle Session Permission Requests From Remote Content
|
## Handle Session Permission Requests From Remote Content
|
||||||
|
|
||||||
You may have seen permission requests while using Chrome: They pop up whenever
|
You may have seen permission requests while using Chrome: They pop up whenever
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue