The nodeIntegration
option in Electron is used to control whether or not the renderer process has access to the Node.js APIs.
By default, the nodeIntegration
option is set to false
, which means that the renderer process does not have access to the Node.js APIs.
Similarly, the nodeIntegrationInWorker
option is also by default set to false
, so that Electron Web Workers do not have access to the Node.js APIs.
This helps prevent malicious code from executing in the renderer process and accessing sensitive system resources.
A cross-site-scripting (XSS) attack is more dangerous if the attacker can exit the renderer process and execute code on the user's computer. Cross-site-scripting attacks are usually limited to disrupting the website on which they are executed. However, Disabling Node.js integration helps prevent an XSS from escalating into a Remote Code Execution(RCE) attack.
If your use case still requires you to enable nodeIntegration
or nodeIntegrationInWorker
, be sure to audit that your application does not execute code from untrusted sources.
const { BrowserWindow } = require('electron')
const mainWindow = new BrowserWindow({
webPreferences: {
nodeIntegration: true, // `nodeIntegration` should not be set to false
nodeIntegrationInWorker: true // `nodeIntegrationInWorker` should not be set to true
}
})
const { BrowserWindow } = require('electron')
const mainWindow = new BrowserWindow({
// alternatively: Do not set these properties in the preferences object, as they're configured correctly by default.
webPreferences: {
nodeIntegration: false,
nodeIntegrationInWorker: false
}
})