mirrors/electron
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages 1 Wiki Activity Actions

docs: update sandbox-option.md (#18275)

Browse source 
Co-Authored-By: Mark Lee <malept@users.noreply.github.com>
This commit is contained in:
Milan Burda 2019-05-20 17:34:57 +02:00 committed by Alexey Kuzmin
parent 89105e7e57
commit dbb8617214
1 changed files with 9 additions and 8 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

17
docs/api/sandbox-option.md
View file

@ -113,8 +113,8 @@ window.open = customWindowOpen
Important things to notice in the preload script: Important things to notice in the preload script:
- Even though the sandboxed renderer doesn't have Node.js running, it still has - Even though the sandboxed renderer doesn't have Node.js running, it still has
access to a limited node-like environment: `Buffer`, `process`, `setImmediate` access to a limited node-like environment: `Buffer`, `process`, `setImmediate`,
and `require` are available. `clearImmediate` and `require` are available.
- The preload script can indirectly access all APIs from the main process through the - The preload script can indirectly access all APIs from the main process through the
`remote` and `ipcRenderer` modules. `remote` and `ipcRenderer` modules.
- The preload script must be contained in a single script, but it is possible to have - The preload script must be contained in a single script, but it is possible to have
@ -162,16 +162,17 @@ feature. We are still not aware of the security implications of exposing some
Electron renderer APIs to the preload script, but here are some things to Electron renderer APIs to the preload script, but here are some things to
consider before rendering untrusted content: consider before rendering untrusted content:
- A preload script can accidentally leak privileged APIs to untrusted code. - A preload script can accidentally leak privileged APIs to untrusted code,
unless [`contextIsolation`](../tutorial/security.md#3-enable-context-isolation-for-remote-content)
is also enabled.
- Some bug in V8 engine may allow malicious code to access the renderer preload - Some bug in V8 engine may allow malicious code to access the renderer preload
APIs, effectively granting full access to the system through the `remote` APIs, effectively granting full access to the system through the `remote`
module. module. Therefore, it is highly recommended to
[disable the `remote` module](../tutorial/security.md#15-disable-the-remote-module).
If disabling is not feasible, you should selectively
[filter the `remote` module](../tutorial/security.md#16-filter-the-remote-module).
Since rendering untrusted content in Electron is still uncharted territory, Since rendering untrusted content in Electron is still uncharted territory,
the APIs exposed to the sandbox preload script should be considered more the APIs exposed to the sandbox preload script should be considered more
unstable than the rest of Electron APIs, and may have breaking changes to fix unstable than the rest of Electron APIs, and may have breaking changes to fix
security issues. security issues.
One planned enhancement that should greatly increase security is to block IPC
messages from sandboxed renderers by default, allowing the main process to
explicitly define a set of messages the renderer is allowed to send.