|
|
@@ -702,7 +702,11 @@ succeeding.
|
|
|
|
|
|
```js
|
|
|
// Bad if the renderer can run untrusted content
|
|
|
-const mainWindow = new BrowserWindow({})
|
|
|
+const mainWindow = new BrowserWindow({
|
|
|
+ webPreferences: {
|
|
|
+ enableRemoteModule: true
|
|
|
+ }
|
|
|
+})
|
|
|
```
|
|
|
|
|
|
```js
|
|
|
@@ -716,12 +720,17 @@ const mainWindow = new BrowserWindow({
|
|
|
|
|
|
```html
|
|
|
<!-- Bad if the renderer can run untrusted content -->
|
|
|
-<webview src="page.html"></webview>
|
|
|
+<webview enableremotemodule="true" src="page.html"></webview>
|
|
|
|
|
|
<!-- Good -->
|
|
|
<webview enableremotemodule="false" src="page.html"></webview>
|
|
|
```
|
|
|
|
|
|
+> **Note:** The default value of `enableRemoteModule` is `false` starting
|
|
|
+> from Electron 10. For prior versions, you need to explicitly disable
|
|
|
+> the `remote` module by the means above.
|
|
|
+
|
|
|
+
|
|
|
## 16) Filter the `remote` module
|
|
|
|
|
|
If you cannot disable the `remote` module, you should filter the globals,
|
Erick Zhao