Create a browser window with a sandboxed renderer.
Options Trading Basics EXPLAINED (For Beginners)
With this option enabled, the renderer must communicate via IPC to the main process in order to access node APIs.
In other words, when the sandbox is enabled, the renderers can only make changes to the system by delegating tasks to the main process via IPC.
Here's more information about the sandbox.
Since a major feature in Electron is the ability to run Node.js in the renderer process (making it easier to develop desktop applications using web technologies), the sandbox is disabled by electron.
This is because most Node.js APIs require system access. for example, is not possible without file system permissions, which are not available in a sandboxed environment.
Usually this is not a problem for desktop applications since the code is always trusted, but it makes Electron less secure than Chromium for displaying untrusted web content. For applications that require more security, the flag will force Electron to spawn a classic Chromium renderer that is compatible with the sandbox.
The only exception is the preload script, which has access to a subset of the Electron renderer API.
they do not return a ).
To create a sandboxed window, pass to :
In the above code the that was created has Node.js disabled and can communicate only via IPC. The use of this option stops Electron from creating a Node.js runtime in the renderer. Also, within this new window follows the native behaviour (by default Electron creates a and returns a proxy to this via ).
can be used to force for all instances.
An app can make customizations to sandboxed renderers using a preload script.
Here's an example:
Important things to notice in the preload script:
- Even though the sandboxed renderer doesn't have Node.js running, it still has access to a limited node-like environment: , , , and are available.
- The preload script can indirectly access all APIs from the main process through the and modules.
- The preload script must be contained in a single script, but it is possible to have complex preload code composed with multiple modules by using a tool like webpack or browserify.
An example of using browserify is below.
To create a browserify bundle and use it as a preload script, something like the following should be used:
The flag should be used with any required module that is already exposed in the preload scope, and tells browserify to use the enclosing function for it. will ensure that , and are also taken from the enclosing scope(normally browserify injects code for those).
Currently the function provided in the preload scope exposes the following modules:
More may be added as needed to expose more Electron APIs in the sandbox, but any module in the main process can already be used through .
Please use the option with care, as it is still an experimental feature.
We are still not aware of the security implications of exposing some Electron renderer APIs to the preload script, but here are some things to consider before rendering untrusted content:
- A preload script can accidentally leak privileged APIs to untrusted code, unless is also enabled.
- Some bug in V8 engine may allow malicious code to access the renderer preload APIs, effectively granting full access to the system through the module.
Therefore, it is highly recommended to disable the module. If disabling is not feasible, you should selectively filter the module.
Since rendering untrusted content in Electron is still uncharted territory, the APIs exposed to the sandbox preload script should be considered more unstable than the rest of Electron APIs, and may have breaking changes to fix security issues.