問題描述
我在創建自定義窗口控件(如關閉、最小/最大和還原)時遇到問題,但 nodeIntegration 已關閉.我在渲染器的本地 html 文件中創建了按鈕
<塊引用>main.js
mainWindow = new BrowserWindow({x, y, 寬度, 高度,框架:假,顯示:假,webPreferences: { devTools: true }});mainWindow.loadURL(url.format({協議:'文件:',斜線:真,路徑名:path.join(__dirname, 'assets', 'index.html')}));<塊引用>
index.html
<div id='minimize' class='noSelect'></div><div id='maximize' class='noSelect'></div><div id='restore' class='noSelect'></div><div id='close' class='noSelect'></div><script type='text/javascript' src='../assets/js/index.js'></script>默認情況下,nodeIntegration 處于關閉狀態,因此 index.js 無法訪問 Node.但是,我需要能夠向按鈕添加功能以關閉、最小/最大和恢復窗口.
index.js
const { remote } = require('electron');const mainWindow = remote.getCurrentWindow();document.getElementById('close').addEventListener('click', () => {mainWindow.close();});這不起作用,因為 nodeIntegration 被禁用.在本地頁面中啟用它是否安全?如果沒有,這樣做的安全方法是什么?
TL;DR: 啟用 nodeIntegration 只會在您從不受信任的來源加載和執行代碼時產生風險,即互聯網或來自用戶輸入.
如果您完全確定您的應用程序將只運行您創建的代碼(并且沒有 NodeJS 模塊從互聯網加載腳本),基本上,啟用 nodeIntegration 的風險很小.
但是,如果您允許用戶運行代碼(即輸入然后 eval 它)或者您提供插件 API,您無法控制加載的插件,風險級別上升是因為 NodeJS 允許任何 NodeJS 腳本(例如)操作文件系統.
另一方面,如果禁用nodeIntegration,則無法與主進程通信或操作BrowserWindow,因此無法創建自定義窗口控件.
I am stuck when creating custom window controls like close, min/max and restore with nodeIntegration turned off. I created the buttons in my renderer's local html file
main.js
mainWindow = new BrowserWindow({
x, y, width, height,
frame: false,
show: false,
webPreferences: { devTools: true }
});
mainWindow.loadURL(url.format({
protocol: 'file:',
slashes: true,
pathname: path.join(__dirname, 'assets', 'index.html')
}));
index.html
<div id='minimize' class='noSelect'></div>
<div id='maximize' class='noSelect'></div>
<div id='restore' class='noSelect'></div>
<div id='close' class='noSelect'></div>
<script type='text/javascript' src='../assets/js/index.js'></script>
By default, nodeIntegration is off so index.js has no access to Node. However, I need to be able to add functionality to the buttons to close, min/max and restore the window.
index.js
const { remote } = require('electron');
const mainWindow = remote.getCurrentWindow();
document.getElementById('close').addEventListener('click', () => {
mainWindow.close();
});
This wouldn't work because of nodeIntegration being disabled. Is it safe to have it enabled in a local page? If not, what is a safe way of doing this?
TL;DR: Enabling nodeIntegration only imposes risks if you load and execute code from untrusted sources, i.e. the internet or from user input.
If you are completely sure that your application will only run the code you have created (and no NodeJS module loads scripts from the internet), basically, there is no to very little risk if enabling nodeIntegration.
However, if you allow the user to run code (i.e. input and then eval it) or you provide plug-in APIs from which you do not have any control over the plug-ins loaded, the risk level rises because NodeJS allows any NodeJS script, ex., to manipulate the filesystem.
On the other hand, if you disable nodeIntegration, you have no way of communicating with the main process or manipulating the BrowserWindow, thus cannot create custom window controls.
這篇關于在與應用程序一起打包的本地頁面上啟用 Electron 中的 nodeIntegration 是否安全?的文章就介紹到這了,希望我們推薦的答案對大家有所幫助,也希望大家多多支持html5模板網!