-
Notifications
You must be signed in to change notification settings - Fork 65
NODE_INTEGRATION_HTML_CHECK
By default, Electron renderers can use Node.js primitives. For instance, a remote untrusted domain rendered in a browser window could invoke Node.js APIs to execute native code on the user’s machine. Similarly, a Cross-Site Scripting (XSS) vulnerability on a website can lead to remote code execution. To display remote content,
nodeIntegration
should be disabled in the webPreferences of BrowserWindow
and webview
tags.
If enabled, nodeIntegration
allows JavaScript to leverage Node.js primitives and modules. This could lead to full remote system compromise if you are rendering untrusted content.
nodeIntegration
and nodeIntegrationInWorker
are boolean options that can be used to determine whether Node integration is enabled.
For webview tags, the default is false. When this attribute is present, the guest page in webview will have node integration:
<webview src="https://doyensec.com/" nodeintegration></webview>