Home Explore 引导页 在线工具 Blog
Register Sign In
Pchen0
/
electron
1
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Browse Source

docs: update nodeIntegration section for new defaults (#17715)

Milan Burda 6 years ago
parent
77a4946069
commit
2fd3029040
2 changed files with 26 additions and 8 deletions
Split View Show Diff Stats
  1. 14 2
      docs/tutorial/first-app.md
  2. 12 6
      docs/tutorial/security.md

+ 14 - 2
docs/tutorial/first-app.md
View File 

@@ -109,7 +109,13 @@ const { app, BrowserWindow } = require('electron')
 
 
 function createWindow () {
 
   // Create the browser window.
 
-  let win = new BrowserWindow({ width: 800, height: 600 })
 
+  let win = new BrowserWindow({
 
+    width: 800,
 
+    height: 600,
 
+    webPreferences: {
 
+      nodeIntegration: true
 
+    }
 
+  })
 
 
   // and load the index.html of the app.
 
   win.loadFile('index.html')
 
@@ -132,7 +138,13 @@ let win
 
 
 function createWindow () {
 
   // Create the browser window.
 
-  win = new BrowserWindow({ width: 800, height: 600 })
 
+  let win = new BrowserWindow({
 
+    width: 800,
 
+    height: 600,
 
+    webPreferences: {
 
+      nodeIntegration: true
 
+    }
 
+  })
 
 
   // and load the index.html of the app.
 
   win.loadFile('index.html')

+ 12 - 6
docs/tutorial/security.md
View File 

@@ -96,7 +96,7 @@ either `process.env` or the `window` object.
 
 You should at least follow these steps to improve the security of your application:
 
 
 1. [Only load secure content](#1-only-load-secure-content)
 
-2. [Disable the Node.js integration in all renderers that display remote content](#2-disable-nodejs-integration-for-remote-content)
 
+2. [Disable the Node.js integration in all renderers that display remote content](#2-do-not-enable-nodejs-integration-for-remote-content)
 
 3. [Enable context isolation in all renderers that display remote content](#3-enable-context-isolation-for-remote-content)
 
 4. [Use `ses.setPermissionRequestHandler()` in all sessions that load remote content](#4-handle-session-permission-requests-from-remote-content)
 
 5. [Do not disable `webSecurity`](#5-do-not-disable-websecurity)
 
@@ -159,9 +159,11 @@ browserWindow.loadURL('https://example.com')
 
 ```
 
 
 
-## 2) Disable Node.js Integration for Remote Content
 
+## 2) Do not enable Node.js Integration for Remote Content
 
 
-It is paramount that you disable Node.js integration in any renderer
 
+_This recommendation is the default behavior in Electron since 5.0.0._
 
+
 
+It is paramount that you do not enable Node.js integration in any renderer
 
 ([`BrowserWindow`][browser-window], [`BrowserView`][browser-view], or
 
 [`<webview>`][webview-tag]) that loads remote content. The goal is to limit the
 
 powers you grant to remote content, thus making it dramatically more difficult
 
@@ -185,7 +187,13 @@ so-called "Remote Code Execution" (RCE) attack.
 
 
 ```js
 
 // Bad
 
-const mainWindow = new BrowserWindow()
 
+const mainWindow = new BrowserWindow({
 
+  webPreferences: {
 
+    nodeIntegration: true,
 
+    nodeIntegrationInWorker: true
 
+  }
 
+})
 
+
 
 mainWindow.loadURL('https://example.com')
 
 ```
 
 
@@ -193,8 +201,6 @@ mainWindow.loadURL('https://example.com')
 
 // Good
 
 const mainWindow = new BrowserWindow({
 
   webPreferences: {
 
-    nodeIntegration: false,
 
-    nodeIntegrationInWorker: false,
 
     preload: path.join(app.getAppPath(), 'preload.js')
 
   }
 
 })