Is it possible to disable the node Integration option to use this boilerplate?

Question

Is it possible to disable the node Integration option to use this boilerplate?

Closed this issue 4 years ago · 3 comments

I was doing some research about security in Electron and found we should not enable nodeJs integration for Remote Content.

https://github.com/electron/electron/blob/master/docs/tutorial/security.md (second option)

So I tried to disable that option and got some issues -- I believe it was caused by some webpack configuration, not sure.

I'm not an expert in security but I like to follow as much as I can so I wonder if this should be a concern because basically we would be loading the Electron Renderer in localhost (dev environment) and in a static HTML page (prod environment), right?

What do you guys think?

Answer 1 · 2020-09-14T15:26:31.000Z

When trying to replicate I got the same error, it really seems to be something in the react webpack, more specifically in the devServer, since in a build everything seems to happen well

Answer 2 · 2020-09-14T15:52:00.000Z

I just found a solution to this problem, just change the webpack target of the react from electron-renderer to web, thus disabling all node integration.

webpack/react.webpack.js

module.exports = {
  ...
  target: 'web',
  ...
}

Answer 3 · 2020-10-03T00:31:46.000Z

@wilgnne Thank you so much for your solution, I really appreciate it!!