NODE_INTEGRATION_JS_CHECK

Luca Carettoni edited this page Jan 17, 2019 · 2 revisions

NODE_INTEGRATION_JS_CHECK - Disable nodeIntegration for untrusted origins

By default, Electron renderers can use Node.js primitives. For instance, a remote untrusted domain rendered in a browser window could invoke Node.js APIs to execute native code on the user’s machine. Similarly, a Cross-Site Scripting (XSS) vulnerability on a website can lead to remote code execution. To display remote content, nodeIntegration should be disabled in the webPreferences of BrowserWindow and webview tag.


Risk

If enabled, nodeIntegration allows JavaScript to leverage Node.js primitives and modules. This could lead to full remote system compromise if you are rendering untrusted content.

Auditing

nodeIntegration and nodeIntegrationInWorker are boolean options that can be used to determine whether node integration is enabled.

For BrowserWindow, default is true. If the option is not present, or is set to true/1, nodeIntegration is enabled as in the following examples:

mainWindow = new BrowserWindow({
    "webPreferences": {
        "nodeIntegration": true,
        "nodeIntegrationInWorker": 1
    }
});

Or simply:

const mainWindow = new BrowserWindow();

References

You can’t perform that action at this time.
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.
Press h to open a hovercard with more details.