CONTEXT_ISOLATION_JS_CHECK

Luca Carettoni edited this page Jan 16, 2019 · 1 revision

CONTEXT_ISOLATION_JS_CHECK - Review the use of the contextIsolation option

contextIsolation introduces JavaScript context isolation for preload scripts, as implemented in Chrome Content Scripts. Using this important option, it is possible to obtain:

  • Different JS contexts between renderers and preload scripts
  • Different JS contexts between renderers and Electron’s framework code


The preload script will still have access to global variables, but it will use its own set of JavaScript builtins(Array, Object, JSON, etc.) and will be isolated from any changes made to the global environment by the loaded page.

Even if you disabled nodeIntegration, contextIsolation is required for isolation. As of today, not enabling ContextIsolation allows malicious JavaScript code to execute Node APIs.


Risk

If contextIsolation is not used, malicious JS code can tamper JavaScript native functions as well as preload script code via prototype pollution.

Auditing

Ensure that contextIsolation is always set: contextIsolation: true

Starting from Electron v5, it is expected to be enabled by default.

References

You can’t perform that action at this time.
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.
Press h to open a hovercard with more details.