Electron IPC and nodeIntegration

by
  1. Is it possible to use ipcRenderer without enabling nodeIntegration?

It is possible, but fiddly. It can be done by using a preload script.

  1. If it is, how do I do it, and why would so many resources exclude this information?

It is possible, using the preload script as indicated below. However, this is not considered secure. Most of the existing documentation does not show best security practices.

A more secure example is given afterwards.

// preload.js
const electron = require('electron');

process.once('loaded', () => {
  global.ipcRenderer = electron.ipcRenderer;
});

// main.js
const {app, BrowserWindow} = require('electron');

app.on('ready', () => {
  // Create the browser window.
  win = new BrowserWindow({
      backgroundColor: '#fff', // always set a bg color to enable font antialiasing!
      webPreferences: {
        preload: path.join(__dirname, './preload.js'),
        nodeIntegration: false,
        enableRemoteModule: false,
        // contextIsolation: true,
        // nativeWindowOpen: true,
        // sandbox: true,
      }
  });
  win.loadURL(`file://${path.join(__dirname, 'index.html')}`);

NOTE That the path to the preload script must be absolute and this can also
get complicated when using webpack/babel, as the output file may be a different path.

  1. If it is not, what do I use?

Edit
As @Yannic pointed out, there is now another option supported by Electron, called contextBridge. This new option may solve the problem more simply. For info on contextBridge, check the electron docs: https://www.electronjs.org/docs/tutorial/context-isolation

However, even with contextBridge you should not be try to expose entire electron APIs, just a limited API you have designed for your app

As mentioned, although it is possible to use ipcRenderer as shown above, the current electron security recommendations recommend also enabling contextIsolation. This will make the above approach unusable as you can no longer add data to the global scope.

The most secure recommendation, AFAIK is to use addEventListener and postMessage instead, and use the preload script as a bridge between the renderer and the main scripts.

// preload.js
const { ipcRenderer } = require('electron');

process.once('loaded', () => {
  window.addEventListener('message', event => {
    // do something with custom event
    const message = event.data;

    if (message.myTypeField === 'my-custom-message') {
      ipcRenderer.send('custom-message', message);
    }
  });
});

// main.js
const {app, ipcMain, BrowserWindow} = require('electron');

app.on('ready', () => {
  ipcMain.on('custom-message', (event, message) => {
    console.log('got an IPC message', e, message);
  });

  // Create the browser window.
  win = new BrowserWindow({
      backgroundColor: '#fff', // always set a bg color to enable font antialiasing!
      webPreferences: {
        preload: path.join(__dirname, './preload.js'),
        nodeIntegration: false,
        enableRemoteModule: false,
        contextIsolation: true,
        sandbox: true,
        // nativeWindowOpen: true,
      }
  });
  win.loadURL(`file://${path.join(__dirname, 'index.html')}`);

// renderer.js
window.postMessage({
  myTypeField: 'my-custom-message',
  someData: 123,
});

More Related Contents:

  1. styled components final styles are injected directly in DOM with tag, with style tag injection does performance gets affected?
  2. The create-react-app imports restriction outside of src directory
  3. Correct path for img on React.js
  4. babel-loader jsx SyntaxError: Unexpected token [duplicate]
  5. How to load image files with webpack file-loader
  6. ES6 modules implementation, how to load a json file
  7. How to import image (.svg, .png ) in a React Component
  8. firebase.auth is not a function
  9. When should I use brackets with imports
  10. How to store Configuration file and read it using React
  11. where is create-react-app webpack config and files?
  12. How do I reload a page with react-router?
  13. Importing CSS files in Isomorphic React Components
  14. Webpack output is empty object
  15. Webpack breaking change
  16. Is it possible to use dotenv in a react project?
  17. “You may need an additional loader to handle the result of these loaders.”
  18. how to set up an inline svg with webpack
  19. Webpack 5 – Uncaught ReferenceError: process is not defined
  20. Module build failed (from ./node_modules/babel-loader/lib/index.js): Error: Cannot find module ‘babel-preset-react’
  21. React JS Server side issue – window not found
  22. Why is my webpack bundle.js and vendor.bundle.js so incredibly big?
  23. how can I use top level “await” in typescript next.js
  24. How can I fix the “BREAKING CHANGE: webpack < 5 used to include polyfills for node.js core modules by default" error?
  25. How to dynamically import SVG and render it inline
  26. “this” is undefined inside map function Reactjs
  27. React component initialize state from props
  28. How can I call parent method in a child React component?
  29. minimise the code since I am using the same code only the content in p tags changes and component AccordionHeader header changes
  30. React props: Should I pass the object or its properties? Does it make much difference?

Leave a Comment