Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Not possible to disable nodeIntegration when using webpack plugin #1636

Closed
b-zurg opened this issue Apr 19, 2020 · 7 comments
Closed

Not possible to disable nodeIntegration when using webpack plugin #1636

b-zurg opened this issue Apr 19, 2020 · 7 comments
Labels
enhancement

Comments

@b-zurg
Copy link
Contributor

b-zurg commented Apr 19, 2020

Preflight Checklist

  • [ x] I have read the contribution documentation for this project.
  • [ x] I agree to follow the code of conduct that this project follows, as appropriate.
  • [ x] I have searched the issue tracker for a bug that matches the one I want to file, without success.

Issue Details

  • Electron Forge Version: 6.0.0-beta.50
  • Electron Version: v8.2.2
  • Operating System: Windows 10 1903

Expected Behavior

Problem Description

The ease of use of having a preload script with the webpack plugin is great and I was very hopeful it would allow me to set nodeIntegration to false so that I could follow electron's security recommendations, however this seems to be quite impossible. This is simply because the target is set in the plugin for the renderer to be electron-renderer which, according to [webpack's docs[(https://webpack.js.org/configuration/target/) is intended to target node for ease of bundling.

This means that the bundled webpack code will expect node and not be able to run and load modules etc..

Proposed Solution

There should be a configuration for every renderer entry point called nodeIntegration that could be set to false that would then set the following webpack properties:

target: web,
output: {
   libraryTarget: "var"
}

As I understand this is basically bundling the code as if it were to run in the browser.

Alternatives Considered

I'm not totally clear what would be a better solution than this. Open to suggestions.

Additional Information

This is part of a larger question of this framework supporting the best security recommendations from electron. As I understand as of now this is to turn off nodeIntegration at the least but there are other recommendations that would be ideally easily supported by such an easy to use framework as this.

In general this would encourage electron developers to follow best practices.
@vazra
Copy link
Contributor

vazra commented Jul 9, 2020

@b-zurg libraryTarget is var by default, right?

@vazra
Copy link
Contributor

vazra commented Jul 9, 2020
edited

@malept Is this a bug? based on the webpack docs , the target electron-renderer should

Compile for Electron for renderer process, providing a target using JsonpTemplatePlugin , FunctionModulePlugin for browser environments and NodeTargetPlugin and ExternalsPlugin for CommonJS and Electron built-in modules

So if the nodeIntergration is false, it shoudn't add NodeTargetPlugin etc. But based on a quick sample project I generated from the latest webpack template. When nodeIntegration is false It breaks with showing errors like

Uncaught ReferenceError: require is not defined
    at Object.events (external "events":1)
    at __webpack_require__ (bootstrap:789)

that means the webpack is considering it as a node environment which actually is a non-node env. So is there something missing which sets the correct environment for the renderer based on the nodeIntegration ?

@b-zurg
Copy link
Contributor Author

b-zurg commented Jul 10, 2020

@b-zurg libraryTarget is var by default, right?

I'm honestly not sure. Would have to check the webpack docs.

@vazra vazra mentioned this issue Jul 20, 2020
Closed
3 tasks
@linonetwo
Copy link

Hi, I get require is not defined when importing react-pixi-fiber, it is a web-only lib, but it is using dist file in cjs folder, but actually it also provides umd version of the dist file.

Maybe we should use umd instead of cjs,

@gyzerok
Copy link

gyzerok commented Dec 14, 2020

I am getting require is not defined after using ipcRenderer.invoke.

Is there some workaround I can take to solve it currently?

@Eli-Black-Work
Copy link

Eli-Black-Work commented Jul 28, 2021
edited

@linonetwo, @gyzerok, and @b-zurg Not sure if you ever got this working, but I just spent the last couple of days solving a similar issue, and here is what worked for me:

  1. Upgrade electron-forge to 6.0.0-beta.57, which has some fixes related to this this issue.
  2. Set nodeIntegration to false (or remove this setting entirely, since the default is now false)
  3. Do not manually specify target in either webpack.main.config.js, webpack.renderer.config.js, or webpack.preload.config.js. electron-forge automatically species the correct targets for the main, renderer, and preload processes.
  4. Configure your project with a preload.js file and see IpcRenderer does not execute normally in preload.js electron#21437 (comment) for how to do your require() in preload.js and expose it to your renderer.

Hope that helps 🙂 Feel free to let me know if you run into any issues 🙂

@malept malept closed this as completed Jul 28, 2021
@malept
Copy link
Member

malept commented Jul 28, 2021

This was implemented in #2330

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@malept @gyzerok @linonetwo @vazra @Eli-Black-Work @b-zurg