node.js 为什么在将我的 Electron 项目更新到最新版本后会看到“Electron Security Warning”?
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/48854265/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Why do I see an "Electron Security Warning" after updating my Electron project to the latest version?
提问by Un1
I've created Electron-Vuejs-Vuetify project from this Vuetify's boilerplate
我已经从这个 Vuetify 的样板文件中创建了 Electron-Vuejs-Vuetify 项目
I'm seeing this warning in the console:
我在控制台中看到此警告:
Electron Security Warning
This renderer process has Node.js integration enabled and
attempted to load remote content. This exposes users of this app to severe security risks.
For more information and help, consult https://electronjs.org/docs/tutorial/security
Question:
题:
What can possible cause that - Node, Vue.js, webpack's localhost config? What should I do?
什么可能导致 - Node、Vue.js、webpack 的 localhost 配置?我该怎么办?
回答by netlander
Add the following line to main.js:
将以下行添加到main.js:
process.env['ELECTRON_DISABLE_SECURITY_WARNINGS'] = 'true';
process.env['ELECTRON_DISABLE_SECURITY_WARNINGS'] = 'true';
However you should read Security, Native Capabilities, and Your Responsibilityto fully understand the implications of doing so.
但是,您应该阅读安全性、本机功能和您的责任以充分了解这样做的含义。
回答by antzshrek
You're having this:
你有这个:
Electron Security Warning This renderer process has Node.js integration enabled and attempted to load remote content. This exposes users of this app to severe security risks.
电子安全警告此渲染器进程启用了 Node.js 集成并尝试加载远程内容。这使此应用程序的用户面临严重的安全风险。
Because from the 2nd Security Recommendations from Electron Documentation
因为来自电子文档的第二个安全建议
2) Disable Node.js Integration for Remote Content
2) 禁用远程内容的 Node.js 集成
It is paramount that you disable Node.js integration in any renderer (BrowserWindow, BrowserView, or WebView) that loads remote content. The goal is to limit the powers you grant to remote content, thus making it dramatically more difficult for an attacker to harm your users should they gain the ability to execute JavaScript on your website.
在加载远程内容的任何渲染器(BrowserWindow、BrowserView 或 WebView)中禁用 Node.js 集成至关重要。目标是限制您授予远程内容的权力,从而使攻击者在您的用户获得在您的网站上执行 JavaScript 的能力时更难以伤害他们。
After this, you can grant additional permissions for specific hosts. For example, if you are opening a BrowserWindow pointed at "https://my-website.com/", you can give that website exactly the abilities it needs, but no more.
在此之后,您可以为特定主机授予其他权限。例如,如果您打开一个指向“ https://my-website.com/”的 BrowserWindow ,您可以为该网站提供其所需的功能,但仅此而已。
Why?
为什么?
A cross-site-scripting (XSS) attack is more dangerous if an attacker can jump out of the renderer process and execute code on the user's computer. Cross-site-scripting attacks are fairly common - and while an issue, their power is usually limited to messing with the website that they are executed on. Disabling Node.js integration helps prevent an XSS from being escalated into a so-called "Remote Code Execution" (RCE) attack.
如果攻击者可以跳出渲染器进程并在用户计算机上执行代码,则跨站点脚本 (XSS) 攻击会更加危险。跨站点脚本攻击相当普遍——虽然是一个问题,但它们的威力通常仅限于干扰执行它们的网站。禁用 Node.js 集成有助于防止 XSS 升级为所谓的“远程代码执行”(RCE)攻击。
How?
如何?
// Bad
const mainWindow = new BrowserWindow()
mainWindow.loadURL('https://my-website.com')
// Good
const mainWindow = new BrowserWindow({
webPreferences: {
nodeIntegration: false,
preload: './preload.js'
}
})
mainWindow.loadURL('https://my-website.com')
<!-- Bad -->
<webview nodeIntegration src="page.html"></webview>
<!-- Good -->
<webview src="page.html"></webview>
When disabling Node.js integration, you can still expose APIs to your website that do consume Node.js modules or features. Preload scripts continue to have access to require and other Node.js features, allowing developers to expose a custom API to remotely loaded content.
禁用 Node.js 集成时,您仍然可以向您的网站公开使用 Node.js 模块或功能的 API。预加载脚本继续访问 require 和其他 Node.js 功能,允许开发人员向远程加载的内容公开自定义 API。
In the following example preload script, the later loaded website will have access to a window.readConfig()method, but no Node.js features.
在以下示例预加载脚本中,稍后加载的网站将可以访问一个window.readConfig()方法,但没有 Node.js 功能。
const { readFileSync } = require('fs')
window.readConfig = function () {
const data = readFileSync('./config.json')
return data
}
Therefore you're been warned so that you can Disable Node.js Integration for Remote Content.
因此,您会收到警告,以便您可以Disable Node.js Integration for Remote Content。
I hope this helps answer your question.
我希望这有助于回答您的问题。
回答by Tomá? Hübelbauer
The Electron security checklistmentions how to deal with the security warning. In particular, when serving index.htmlfrom file:protocol (where you can't use HTTP CSP headers), it is possible to use the meta tag for the same purpose, as documented in the security checklist here: CSP HTTP header.
Electron安全检查表提到了如何处理安全警告。特别是,当index.html从file:协议(您不能使用 HTTP CSP 标头)提供服务时,可以将元标记用于相同目的,如此处的安全检查表中所述:CSP HTTP 标头。
It recommends to use
它建议使用
<meta http-equiv="Content-Security-Policy" content="default-src 'none'" />
…but I have found (got help on GitHub here) this one to be more practical as it allows one to use script src:
......但我发现(在GitHub上得到帮助这里)这一个更加实用,因为它允许使用script src:
<meta http-equiv="Content-Security-Policy" content="script-src 'self';" />
More on CSP on content-security-policy.com.
有关 CSP 的更多信息,请访问content-security-policy.com。
回答by li x
The newer version of the electron Vue template has these warningsthat were previously disabled in the beta using:
较新版本的电子 Vue 模板具有这些警告,这些警告以前在测试版中使用以下方法禁用:
process.env['ELECTRON_DISABLE_SECURITY_WARNINGS'] = 'true';
Which now requires you to do the following inside your index.js:
现在需要您在您的index.js.
process.env.ELECTRON_DISABLE_SECURITY_WARNINGS = '1';
回答by JerryGoyal
From Electron 2.0 on, developers will see warnings and recommendations printed to the developer console. They only show up when the binary's name is Electron, indicating that a developer is currently looking at the console.
从 Electron 2.0 开始,开发人员将看到打印到开发人员控制台的警告和建议。它们仅在二进制文件的名称为 Electron 时显示,表明开发人员当前正在查看控制台。
I would suggest you to follow Electron official Security Recommendations checklist to avoid these warnings https://github.com/electron/electron/blob/master/docs/tutorial/security.md
我建议您遵循 Electron 官方安全建议清单以避免这些警告https://github.com/electron/electron/blob/master/docs/tutorial/security.md
回答by Marc
TLDR: Disable eval() in your BrowserWindow options.
TLDR:在 BrowserWindow 选项中禁用 eval()。
I just went through this process on the latest electron, vue etc. and the solution is to disable eval()which can be a security risk due to it executing code which is not from you (or your app).
我刚刚在最新的电子、vue 等上完成了这个过程,解决方案是禁用eval()这可能是一个安全风险,因为它执行的代码不是来自你(或你的应用)。
Add the allowEval: falseto your webPreferencesduring window creation to prevent the warning cleanly:
在窗口创建期间添加allowEval: false到您的webPreferences窗口以完全防止警告:
const win = new electron.BrowserWindow({
webPreferences: {
allowEval: false // This is the key!
}
});
Some background info: electron actually tries to execute some javascript code (from a string using require('electron').executeJavaScript) and, if it succeeds, it considers your code unsafe.
一些背景信息:electron 实际上会尝试执行一些 javascript 代码(从使用 的字符串require('electron').executeJavaScript),如果成功,它会认为您的代码不安全。
