How to use preload.js properly in Electron

by

Edit 2022

I’ve published a larger post on the history of Electron (how security has changed throughout Electron versions) and additional security considerations Electron developers can make to ensure the preload file is being used correctly in new apps.

Edit 2020

As another user asked, let me explain my answer below.

The proper way to use the preload.js in Electron is to expose whitelisted wrappers around any module your app may need to require.

Security-wise, it’s dangerous to expose require, or anything you retrieve through the require call in your preload.js (see my comment here for more explanation why). This is especially true if your app loads remote content, which many do.

In order to do things right, you need to enable a lot of options on your BrowserWindow as I detail below. Setting these options forces your electron app to communicate via IPC (inter-process communication) and isolates the two environments from each other. Setting up your app like this allows you to validate anything that may be a require‘d module in your backend, which is free from the client tampering with it.

Below, you will find a brief example of what I speak about and how it can look in your app. If you are starting fresh, I might suggest using secure-electron-template (which I am the author of) that has all of these security best-practices baked in from the get go when building an electron app.

This page also has good information on the architecture that’s required when using the preload.js to make secure apps.

main.js

const {
  app,
  BrowserWindow,
  ipcMain
} = require("electron");
const path = require("path");
const fs = require("fs");

// Keep a global reference of the window object, if you don't, the window will
// be closed automatically when the JavaScript object is garbage collected.
let win;

async function createWindow() {

  // Create the browser window.
  win = new BrowserWindow({
    width: 800,
    height: 600,
    webPreferences: {
      nodeIntegration: false, // is default value after Electron v5
      contextIsolation: true, // protect against prototype pollution
      enableRemoteModule: false, // turn off remote
      preload: path.join(__dirname, "preload.js") // use a preload script
    }
  });

  // Load app
  win.loadFile(path.join(__dirname, "dist/index.html"));

  // rest of code..
}

app.on("ready", createWindow);

ipcMain.on("toMain", (event, args) => {
  fs.readFile("path/to/file", (error, data) => {
    // Do something with file contents

    // Send result back to renderer process
    win.webContents.send("fromMain", responseObj);
  });
});

preload.js

const {
    contextBridge,
    ipcRenderer
} = require("electron");

// Expose protected methods that allow the renderer process to use
// the ipcRenderer without exposing the entire object
contextBridge.exposeInMainWorld(
    "api", {
        send: (channel, data) => {
            // whitelist channels
            let validChannels = ["toMain"];
            if (validChannels.includes(channel)) {
                ipcRenderer.send(channel, data);
            }
        },
        receive: (channel, func) => {
            let validChannels = ["fromMain"];
            if (validChannels.includes(channel)) {
                // Deliberately strip event as it includes `sender` 
                ipcRenderer.on(channel, (event, ...args) => func(...args));
            }
        }
    }
);

index.html

<!doctype html>
<html lang="en-US">
<head>
    <meta charset="utf-8"/>
    <title>Title</title>
</head>
<body>
    <script>
        window.api.receive("fromMain", (data) => {
            console.log(`Received ${data} from main process`);
        });
        window.api.send("toMain", "some data");
    </script>
</body>
</html>

More Related Contents:

  1. Electron require() is not defined
  2. What is the difference between const and const {} in JavaScript
  3. How to close electron app via javascript?
  4. How to view a PDF in an Electron BrowserWindow?
  5. Use of require(lib) versus in Electron apps
  6. Electron nodeIntegration not working, also general weird Electron behavior [duplicate]
  7. Read a file one line at a time in node.js?
  8. Read environment variables in Node.js
  9. Correct way to write loops for promise.
  10. Sequelize model association won’t create a new column
  11. Make several requests to an API that can only handle 20 request a minute
  12. Write / add data in JSON file using Node.js
  13. How to reload or re-render the entire page using AngularJS
  14. How to set NODE_ENV to production/development in OS X
  15. Will async/await block a thread node.js
  16. Stubbing a class method with Sinon.js
  17. Download text/csv content as files from server in Angular
  18. Serial port not working?
  19. Node.js Error: connect ECONNREFUSED
  20. Find out if someone has a role
  21. Writing npm modules in TypeScript
  22. I am getting error in console “You need to enable JavaScript to run this app.” reactjs
  23. How to get data out of a Node.js http get request
  24. How to chain execution of array of functions when every function returns deferred.promise?
  25. How can one get the file path of the caller function in node.js?
  26. Using Express Handlebars and Angular JS
  27. How to resolve the Syntax error : await is only valid in async function?
  28. Is there a way to read image metadata using node.js
  29. How to convert a string to ObjectId in nodejs mongodb native driver?
  30. How to run my node.js project on android?

Leave a Comment