-
Notifications
You must be signed in to change notification settings - Fork 65
REMOTE_MODULE_JS_CHECK
Anthony Trummer edited this page Jan 6, 2022
·
2 revisions
The remote module provides a way for the renderer processes to access APIs normally only available in the main process. Using it, a renderer can invoke methods of a main process object without explicitly sending inter-process messages. This is highly discouraged since the module is considered harmful.
remote uses an internal IPC channel to communicate with the main process. "Prototype pollution" attacks can grant malicious code access to the internal IPC channel, which can then be used to escape the sandbox by mimicking remote IPC messages and getting access to main process modules running with higher privileges.
Ensure that the remote module is globally disabled by using the enableRemoteModule setting in all BrowserWindow and BrowserView:
const mainWindow = new BrowserWindow({
webPreferences: {
enableRemoteModule: false
}
})