Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Feature Request]: Make Electron 'plugins' easier to implement #32909

Closed
3 tasks done
timfish opened this issue Feb 15, 2022 · 4 comments
Closed
3 tasks done

[Feature Request]: Make Electron 'plugins' easier to implement #32909

timfish opened this issue Feb 15, 2022 · 4 comments
Labels
enhancement ✨

Comments

@timfish
Copy link
Contributor

timfish commented Feb 15, 2022
edited

Preflight Checklist

Problem Description

It is currently non-trivial for third parties to supply code for use with Electron that works seamlessly across Electrons processes.

With the current Electron defaults, to get a library working across processes, users have to be instructed to call code from main, preload and renderer and they need to be using a bundler for this to be possible. This means it's currently not possible to build an Electron app following the security guidance without using a bundler.

Allowing third parties to create secure, well-designed modules that can be used easily across Electrons process model would be a good thing for users!

Proposed Solution

  • Supply a secure way to inject code into the preload or a means to configure a contextBridge from the main process
    • Using paths to preload scripts will not work if the main process is bundled
  • Additional bonus if we can inject code into the renderers
  • Add missing APIs like before-browser-window-created which are required to support various plugins that manipulate BrowserWindow

Alternatives Considered

It's possible to use custom protocols to work around this but this is not ideal.

Additional Information

Tauri obviously doesn't have many of the same hurdles as Electron but its plugin system allows configuration of everything from the plugin:

  • Setup in main process
  • Define exposed IPC APIs
  • Inject renderer code

This makes it really easy to supply secure reliable plugins that include everything the user needs.
@he-jialin
Copy link

he-jialin commented Feb 20, 2022
edited

There are too many constraints, which makes many people unwilling to upgrade the version. It is recommended to go back to the previous configuration mode enableRemoteModule
+1 😄

@miniak
Copy link
Contributor

miniak commented Mar 20, 2022

@he-jialin if you want to expose your users to Chromium security issues by using an outdated version of Electron, that's up to you.

@miniak
Copy link
Contributor

miniak commented Mar 20, 2022

You can already implement this using existing Electron APIs. The only thing that is missing is the proposed before-browser-window-created event, which is being tracked by a separate issue.

@miniak miniak closed this as completed Mar 20, 2022
@timfish
Copy link
Contributor Author

timfish commented Mar 20, 2022
edited

Supply a secure way to inject code into the preload or a means to configure a contextBridge from the main process

How is this possible with existing APIs?

If I create a plugin for Electron it has to be configured from three different contexts.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement ✨
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@timfish @miniak @he-jialin