Skip to content

Commit

Permalink
chore: update ref to docs (🤖)
Browse files Browse the repository at this point in the history
  • Loading branch information
@electron-website-docs-updater
electron-website-docs-updater[bot] authored Jan 24, 2025
1 parent ce756e4 commit 47994c9
Show file tree
Hide file tree
Showing 2 changed files with 47 additions and 2 deletions.
2 changes: 1 addition & 1 deletion docs/latest/.sha
View file
Original file line number Diff line number Diff line change
@@ -1 +1 @@
a1816f3587aa63f2eebbda4f38c1a194e286e281
c538aa8e6cf2f34e74f6860138536bab84b74a02
47 changes: 46 additions & 1 deletion docs/latest/tutorial/security.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -122,6 +122,7 @@ You should at least follow these steps to improve the security of your applicati
17. [Validate the `sender` of all IPC messages](#17-validate-the-sender-of-all-ipc-messages)
18. [Avoid usage of the `file://` protocol and prefer usage of custom protocols](#18-avoid-usage-of-the-file-protocol-and-prefer-usage-of-custom-protocols)
19. [Check which fuses you can change](#19-check-which-fuses-you-can-change)
20. [Do not expose Electron APIs to untrusted web content](#20-do-not-expose-electron-apis-to-untrusted-web-content)

To automate the detection of misconfigurations and insecure patterns, it is
possible to use
Expand Down Expand Up @@ -238,7 +239,7 @@ API to remotely loaded content via the [contextBridge API](../api/context-bridge

:::info

This recommendation is the default behavior in Electron since 12.0.0.
Context Isolation is the default behavior in Electron since 12.0.0.

:::

Expand Down Expand Up @@ -828,6 +829,50 @@ flipping these fuses easy. Check out the README of that module for more details
potential error cases, and refer to
[How do I flip the fuses?](./fuses.md#how-do-i-flip-the-fuses) in our documentation.

### 20. Do not expose Electron APIs to untrusted web content

You should not directly expose Electron's APIs, especially IPC, to untrusted web content in your
preload scripts.

### Why?

Exposing raw APIs like `ipcRenderer.on` is dangerous because it gives renderer processes direct
access to the entire IPC event system, allowing them to listen for any IPC events, not just the ones
intended for them.

To avoid that exposure, we also cannot pass callbacks directly through: The first
argument to IPC event callbacks is an `IpcRendererEvent` object, which includes properties like `sender`
that provide access to the underlying `ipcRenderer` instance. Even if you only listen for specific
events, passing the callback directly means the renderer gets access to this event object.

In short, we want the untrusted web content to only have access to necessary information and APIs.

### How?

```js title='preload'.js'
// Bad
contextBridge.exposeInMainWorld('electronAPI', {
on: ipcRenderer.on
})

// Also bad
contextBridge.exposeInMainWorld('electronAPI', {
onUpdateCounter: (callback) => ipcRenderer.on('update-counter', callback)
})

// Good
contextBridge.exposeInMainWorld('electronAPI', {
onUpdateCounter: (callback) => ipcRenderer.on('update-counter', (_event, value) => callback(value))
})
```

:::info

For more information on what `contextIsolation` is and how to use it to secure your app,
please see the [Context Isolation](context-isolation.md) document.

:::

[breaking-changes]: ../breaking-changes.md
[browser-window]: ../api/browser-window.md
[webview-tag]: ../api/webview-tag.md
Expand Down

0 comments on commit 47994c9

Please sign in to comment.