Is remote still harmful when only used in preload script?
linonetwo opened this issue · 3 comments
electrons-remote-module-considered-harmful Article didn't explain this relationship with preload script.
If I enable context isolation and websecrity and disable nodeintegration and hold remote module only used in preload script, and use async remote function instead of sync function, is it still harmful?
I think, if used in this way, remote module is basically the same as https://github.com/frankwallis/electron-ipc-proxy, and better in many ways because it is easer to use.
Yes.
Context isolation isn't perfect, and from time to time there are bugs in it that allow an attacker to gain access to the isolated world (e.g. GHSA-56pc-6jqp-xqj8). There exist other attack vectors too that an attacker might try to exploit use to send arbitrary IPCs to the main process. Of course, we fix these in Electron as soon as we discover them, but it's best to limit the "blast radius" that such a vulnerability might have. The remote module essentially allows anyone who can send an IPC to the main process to do arbitrary things with the main process's privileges. Without the remote module, a context-isolation bypass is limited to accessing data inside the renderer process, which is ideally sandboxed. With the remote module, a context-isolation bypass becomes equivalent to an attacker being able to do anything the main process can.
It's best to abide by the Principle of Least Privilege which is a core Chromium design principle. This means fundamentally mistrusting any IPC message that comes from the renderer and assuming that it might have been sent by malicious code.
got a follow up question to your last post above. We use the remote module via ngx-electron package and we do not load external content.
Then in the main process we filter and restrict all remote module requests to only the ones that we allow.
wouldn't this effectively achieve the same result in terms of security ?
I understand that remote via renderer is slower, but only referring to the security aspect for now.
Thanks.