Serious vulnerability with nodeIntegration: true in main.ts
Closed this issue · 2 comments
Following Electron's security guide, nodeIntegation should not be set to true
"It is paramount that you do not enable Node.js integration in any renderer (BrowserWindow, BrowserView, or ) that loads remote content. The goal is to limit the powers you grant to remote content, thus making it dramatically more difficult for an attacker to harm your users should they gain the ability to execute JavaScript on your website."
"A cross-site-scripting (XSS) attack is more dangerous if an attacker can jump out of the renderer process and execute code on the user's computer. Cross-site-scripting attacks are fairly common - and while an issue, their power is usually limited to messing with the website that they are executed on. Disabling Node.js integration helps prevent an XSS from being escalated into a so-called "Remote Code Execution" (RCE) attack."
The following StackOverflow thread is relevant to this issue: source: https://stackoverflow.com/questions/55164360/with-contextisolation-true-is-it-possible-to-use-ipcrenderer
I run into the same problem. I want to use firebase sdk, which requires browser env without nodeIntegration to work correctly.
However, I found out that this template doesn't build with nodeIntegration: false