search

alex8088 / quick-start

An easy way to start a front-end project.
MIT License
242 stars 33 forks source link

Remove `sandbox: false` from electron-vite-boilerplate and quick-start #21

Open MichaelJCole opened 9 months ago

MichaelJCole commented 9 months ago

Clear and concise description of the problem

Hi, I'm looking to integrate nuxt with electron. I'm coming from the Quasar project. Quasar uses electron-vite.

I started with nuxt-electron plugin, but it disables a bunch of security features in electron.

This is the most secure config I could get to get the example started.

  win = new BrowserWindow({
    webPreferences: {
      preload,
      // nodeIntegrationInWorker: true,
      contextIsolation: false,
      nodeIntegration: true,
      // webSecurity: false,
    },
  });

I'm coming from Quasar, which appears to use electron-vite. The most secure config I can get is:

  mainWindow = new BrowserWindow({
    icon: path.resolve(__dirname, 'icons/icon.png'), // tray icon
    width: 1000,
    height: 600,
    useContentSize: true,
    webPreferences: {
      contextIsolation: true,
      // More info: https://v2.quasar.dev/quasar-cli-vite/developing-electron-apps/electron-preload-script
      preload: path.resolve(__dirname, process.env.QUASAR_ELECTRON_PRELOAD),
    },
  });

So why not use electron-vite directly? The most secure config I can get seems to be with the sandbox turned off:

  const mainWindow = new BrowserWindow({
    width: 900,
    height: 670,
    show: false,
    autoHideMenuBar: true,
    ...(process.platform === 'linux' ? { icon } : {}),
    webPreferences: {
      preload: join(__dirname, '../preload/index.js'),
      sandbox: false
    }
  })

If I enable the sandbox content doesn't show in the vue-typescript version. This seems to be the default for quickstart and electron-vite-boilerplate

What is Quasar doing with electron-vite to allow enabling the sandbox? Quasar appears to install electron-vite here and only needs to turn off sandbox to use @electron/remote

I don't see @electron/remote in the quick-start, why is sandbox: false needed?

Thank you!

Used Scaffolding

create-electron

Suggested solution

Use IPC in the examples.

Alternative

No response

Additional context

No response

Validations

alex8088 commented 9 months ago

Thanks for your suggestion. It is really necessary to add an example using ipc in the template. Of course you can get more in the documentation.

About sandbox:

Read more in Limitations of Sandboxing