Is nodeIntegration required?

[Mintonne]

Hey,

I have been reading up on Electron best practices and the official docs recommend turning off nodeIntegration for any renderer that loads remote content.

In my app, I use a preload script to expose any node modules that I need in the renderer process. Everything else is handled via IPC.

nodeIntegration is not required in my app. Turning it off , however, breaks the app. It just doesn't launch.

Error message

Root cause

I tried using a new project, disabled nodeIntegration and the error still appeared. There are few issues on Github about this and the solution is always

Enable nodeIntegration

Is this a bug or expected behavior?

[cawa-93]

Same question

[sabifa]

Noticed the same when I tried to turn it off

[nklayman]

Didn't realize this many people wanted this, thanks for letting me know. I think the issue is because I set the webpack target to electron-renderer. What do you guys think about adding a config option that will leave the target as default, allowing you to disable nodeIntegration?

[nklayman]

Also, you will have to do this for spectron testing.

[cawa-93]

@nklayman I don't really understand What is the difference between a electron-main, electron-renderer or electron-preload? Perhaps it makes sense to set the exact target for each entry point?

[Mintonne]

@cawa-93 https://webpack.js.org/configuration/target/

The explanation isn't that clear though 😕

@nklayman I don't think setting it to default will fix it. The different entry points need different targets.

• main.js (Vue) - web (default)
• backgound.js (Electron) - electron-main

There is also the preload script that can contain require statements but it is located in a Vue folder.

[cawa-93]

Maybe introduce some configuration like this:

// vue.config.js
module.exports = {
  pluginOptions: {
    electronBuilder: {
      entryPoints: {
        main: {path: ... , target: ...},
        preload: {path: ... , target: ...},
        renderer: {path: ... , target: ...},
      },
      builderOptions: {
        // options placed here will be merged with default configuration and passed to electron-builder
      }
    }
  }
}

[nklayman]

nodeIntegration is now disabled by default on the v2.0.0 beta, and can be configured.

[Sparkenstein]

that sounds great. is preload added by default?
for the reference, secure-electron-template Is one project in react that tries to collect all secure practices for electron in one place. I think having a default example for IPC would help as well.

[nklayman]

@Sparkenstein I created #742 to collect some security recommendations that can be implemented in v2.0 and described in a new documentation section. Can you please repost your comment there for better tracking? Thanks!

[Barrosy]

@nklayman I don't really understand What is the difference between a electron-main, electron-renderer or electron-preload? Perhaps it makes sense to set the exact target for each entry point?

I am aware it is quite a while back since you asked this question, however, for any still remaining with questions, more can be found at the documentation page of Electron. Here you can find the explanation of what is meant by preloading. Here you can find the explanation of what is meant by renderer. As for main, it would be quite self explanatory as this is where your main Electron related logic should live. This would be your background.js. I hope this clears up a bit about your questions.