Join GitHub today
GitHub is home to over 31 million developers working together to host and review code, manage projects, and build software together.Sign up
NODE_INTEGRATION_HTML_CHECK - Disable nodeIntegration for untrusted origins
By default, Electron renderers can use Node.js primitives. For instance, a remote untrusted domain rendered in a browser window could invoke Node.js APIs to execute native code on the user’s machine. Similarly, a Cross-Site Scripting (XSS) vulnerability on a website can lead to remote code execution. To display remote content,
nodeIntegration should be disabled in the webPreferences of
nodeIntegrationInWorker are boolean options that can be used to determine whether node integration is enabled.
For webview tag, default is false. When this attribute is present, the guest page in webview will have node integration:
<webview src="https://doyensec.com/" nodeintegration></webview>