在与应用程序一起打包的本地页面上启用 Electron 中的 nodeIntegration 是否安全?

2022-01-10 00:00:00 node.js electron javascript

我在创建自定义窗口控件(如关闭、最小/最大和还原)时遇到问题,但 nodeIntegration 已关闭.我在渲染器的本地 html 文件中创建了按钮

<块引用>

main.js

mainWindow = new BrowserWindow({x, y, 宽度, 高度,框架:假,显示:假,webPreferences: { devTools: true }});mainWindow.loadURL(url.format({协议:'文件:',斜线:真,路径名:path.join(__dirname, 'assets', 'index.html')}));

<块引用>

index.html

<div id='minimize' class='noSelect'>&#xE921;</div><div id='maximize' class='noSelect'>&#xE922;</div><div id='restore' class='noSelect'>&#xE923;</div><div id='close' class='noSelect'>&#xE8BB;</div><script type='text/javascript' src='../assets/js/index.js'></script>

默认情况下,nodeIntegration 处于关闭状态,因此 index.js 无法访问 Node.但是,我需要能够向按钮添加功能以关闭、最小/最大和恢复窗口.

<块引用>

index.js

const { remote } = require('electron');const mainWindow = remote.getCurrentWindow();document.getElementById('close').addEventListener('click', () => {mainWindow.close();});

这不起作用,因为 nodeIntegration 被禁用.在本地页面中启用它是否安全?如果没有,这样做的安全方法是什么?

解决方案

TL;DR: 启用 nodeIntegration 只会在您从不受信任的来源加载和执行代码时产生风险,即互联网或来自用户输入.

如果您完全确定您的应用程序将只运行您创建的代码(并且没有 NodeJS 模块从互联网加载脚本),基本上,启用 nodeIntegration 的风险很小.

但是,如果您允许用户运行代码(即输入然后 eval 它)或者您提供插件 API,您无法控制加载的插件,风险级别上升是因为 NodeJS 允许任何 NodeJS 脚本(例如)操作文件系统.

另一方面,如果禁用nodeIntegration,则无法与主进程通信或操作BrowserWindow,因此无法创建自定义窗口控件.

I am stuck when creating custom window controls like close, min/max and restore with nodeIntegration turned off. I created the buttons in my renderer's local html file

main.js

mainWindow = new BrowserWindow({
    x, y, width, height,
    frame: false,
    show: false,
    webPreferences: { devTools: true }
});

mainWindow.loadURL(url.format({
    protocol: 'file:',
    slashes: true,
    pathname: path.join(__dirname, 'assets', 'index.html')
}));

index.html

<div id='minimize' class='noSelect'>&#xE921;</div>
<div id='maximize' class='noSelect'>&#xE922;</div>
<div id='restore' class='noSelect'>&#xE923;</div>
<div id='close' class='noSelect'>&#xE8BB;</div>

<script type='text/javascript' src='../assets/js/index.js'></script>

By default, nodeIntegration is off so index.js has no access to Node. However, I need to be able to add functionality to the buttons to close, min/max and restore the window.

index.js

const { remote } = require('electron');
const mainWindow = remote.getCurrentWindow();

document.getElementById('close').addEventListener('click', () => {
  mainWindow.close();
});

This wouldn't work because of nodeIntegration being disabled. Is it safe to have it enabled in a local page? If not, what is a safe way of doing this?

解决方案

TL;DR: Enabling nodeIntegration only imposes risks if you load and execute code from untrusted sources, i.e. the internet or from user input.

If you are completely sure that your application will only run the code you have created (and no NodeJS module loads scripts from the internet), basically, there is no to very little risk if enabling nodeIntegration.

However, if you allow the user to run code (i.e. input and then eval it) or you provide plug-in APIs from which you do not have any control over the plug-ins loaded, the risk level rises because NodeJS allows any NodeJS script, ex., to manipulate the filesystem.

On the other hand, if you disable nodeIntegration, you have no way of communicating with the main process or manipulating the BrowserWindow, thus cannot create custom window controls.

相关文章