search

caoxiemeihao / nuxt-electron

Integrate Nuxt and Electron
MIT License
191 stars 21 forks source link

Security question: Why are `contextIsolation: false,` and `nodeIntegration: true,` necessary? #57

Closed MichaelJCole closed 9 months ago

MichaelJCole commented 1 year ago

Hi, I'm coming from Quasar, which is another Vue project that integrates with Electron through vite.

I want some features from Nuxt 3, so I'm looking for an alternative.

The electron security checklist says nodeIntegration: true and contextIsolation: false are a security issue.

I got the Quick-start running, but I'm unable to see content without disabling these security features.

Is there a reason this must be done for nuxt-electron?

This is the minimum nuxt-electron webPreferences config to see content:

  win = new BrowserWindow({
    webPreferences: {
      preload,
      // nodeIntegrationInWorker: true,
      contextIsolation: false,
      nodeIntegration: true,
      // webSecurity: false,
    },
  });

Quasar's electron security checklist has a strong warning about this, and it's not necessary to disable these security features in development to get HMR.

What's different about Nuxt that requires disabling them?

You can try Quasar like this:

# accept all the defaults
yarn create quasar
# install the cli 
yarn global add @quasar/cli
# add electron mode and run dev
quasar mode add electron
quasar dev --mode electron

In the file src-electron/electron-main.js, around line 20, the app instantiates the main window with contextIsolation and w/o nodeIntegration:

  mainWindow = new BrowserWindow({
    icon: path.resolve(__dirname, 'icons/icon.png'), // tray icon
    width: 1000,
    height: 600,
    useContentSize: true,
    webPreferences: {
      contextIsolation: true,
      // More info: https://v2.quasar.dev/quasar-cli-vite/developing-electron-apps/electron-preload-script
      preload: path.resolve(__dirname, process.env.QUASAR_ELECTRON_PRELOAD)
    }
  })

How can I enable these security features in nuxt-electron?

Thank you!

MichaelJCole commented 1 year ago

I think quasar mode add installs electron-vite here: https://github.com/quasarframework/quasar/blob/dev/app-vite/lib/cache/module.electron.js#L15

yejimeiming commented 10 months ago

The contextIsolation: false, and nodeIntegration: true is not necessary, It seems that the latest electron-vite template project has already closed theme.

MichaelJCole commented 9 months ago

@caoxiemeihao @yejimeiming yes, you are correct. Thank you!