docs: update contextIsolation documentation on access to globals (#19732)

This commit is contained in:
Shiranka Miskin 2020-11-18 01:24:00 -05:00 committed by GitHub
parent cc136f2acd
commit ec85a91472
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
2 changed files with 13 additions and 14 deletions

View file

@ -337,18 +337,17 @@ It creates a new `BrowserWindow` with native properties as set by the `options`.
more details.
* `contextIsolation` Boolean (optional) - Whether to run Electron APIs and
the specified `preload` script in a separate JavaScript context. Defaults
to `false`. The context that the `preload` script runs in will still
have full access to the `document` and `window` globals but it will use
its own set of JavaScript builtins (`Array`, `Object`, `JSON`, etc.)
and will be isolated from any changes made to the global environment
by the loaded page. The Electron API will only be available in the
`preload` script and not the loaded page. This option should be used when
loading potentially untrusted remote content to ensure the loaded content
cannot tamper with the `preload` script and any Electron APIs being used.
This option uses the same technique used by [Chrome Content Scripts][chrome-content-scripts].
You can access this context in the dev tools by selecting the
'Electron Isolated Context' entry in the combo box at the top of the
Console tab.
to `false`. The context that the `preload` script runs in will only have
access to its own dedicated `document` and `window` globals, as well as
its own set of JavaScript builtins (`Array`, `Object`, `JSON`, etc.),
which are all invisible to the loaded content. The Electron API will only
be available in the `preload` script and not the loaded page. This option
should be used when loading potentially untrusted remote content to ensure
the loaded content cannot tamper with the `preload` script and any
Electron APIs being used. This option uses the same technique used by
[Chrome Content Scripts][chrome-content-scripts]. You can access this
context in the dev tools by selecting the 'Electron Isolated Context'
entry in the combo box at the top of the Console tab.
* `worldSafeExecuteJavaScript` Boolean (optional) - If true, values returned from `webFrame.executeJavaScript` will be sanitized to ensure JS values
can't unsafely cross between worlds when using `contextIsolation`. The default
is `false`. In Electron 12, the default will be changed to `true`. _Deprecated_