Electron-react-boilerplate: For security, how can I disable nodeIntegration, contextIsolation and sandbox?

Created on 12 Nov 2017  路  1Comment  路  Source: electron-react-boilerplate/electron-react-boilerplate

I want my application to have maximum electron security except I need "webSecurity": false

Like this:

mainWindow = new BrowserWindow({
show: false,
width: 1500,
height: 1600,
"webPreferences": {
"nodeIntegration": false,
"contextIsolation": true,
"sandbox": true,
"webSecurity": false
}
});

Unforauntely this boilerplate template seems to not run without nodejs integration true, contextisolation false and sandbox false. Is that right?

I am getting Uncaught ReferenceError: process is not defined

When I turn these security settings on.

As advised here https://www.blackhat.com/docs/us-17/thursday/us-17-Carettoni-Electronegativity-A-Study-Of-Electron-Security-wp.pdf

and

https://electron.atom.io/docs/api/browser-window/

Am I correct to understand this electron-react-boilerplate project is NOT focused on security?

>All comments

Hey @bootrino I'm pretty sure most of those preferences don't work well in Electron. The API page says sandbox and contextIsolation are experimental and also

a sandboxed renderer does not have a Node.js environment running (with
the exception of preload scripts) and the renderers can only make changes to the
system by delegating tasks to the main process via IPC

So I really think you won't be lucky with those preferences in a boilerplate which isn't totally focused on security.

Was this page helpful?
0 / 5 - 0 ratings

Related issues

nEdAy picture nEdAy  路  41Comments

amilajack picture amilajack  路  22Comments

jefffriesen picture jefffriesen  路  40Comments

erick2014 picture erick2014  路  23Comments

ghost picture ghost  路  20Comments