Using process.env to pass vars from main process to preload script in Electron – Good option?

huangapple go评论129阅读模式
英文:

Using process.env to pass vars from main process to preload script in Electron - Good option?

问题

我正在开发一个用Electron封装的Web应用,尝试找到一种简单的方法将变量从主进程传递到preload.js,以便稍后可以从我的BrowserWindow中获取它。我知道可以使用IPC从主进程发送/接收数据到渲染器视图,但我发现这种方式有时对于获取简单数据来说有点复杂。此外,我不想将BrowserWindow的webPreferences.nodeIntegration设置为true,因为这可能会成为XSS攻击的漏洞。我找到了一种方法(如下)可以将变量从主进程传递到preload.js中的contextBridge,以便稍后可以从我的BrowserWindow的JS代码中获取这些变量。

index.js(主进程)

process.env.MY_SUPER_VAR = 'Hello'

preload.js

const { contextBridge } = require("electron");
contextBridge.exposeInMainWorld(
    "electron", {
        mySuperVar : process.env.MY_SUPER_VAR
    });

script.js(稍后从page.html加载)

console.log(window.electron.mySuperVar); // 'Hello'

这样做是正确的吗?这安全吗?任何建议/建议/示例都将不胜感激。谢谢!

英文:

I'm working on a webapp wrapped with Electron and I'm trying to find an easy way to pass vars from main process to preload.js so I could later get it from my BrowserWindow.

I know we can use IPC to send/receive datas from main process to the renderer view but I found this way sometimes too complex for just getting simple data.

Also, I don't want to set the BrowserWindow webPreferences.nodeIntegration to true because this can be a crack for XSS attack such as explained here.

I found a way (below) to pass vars from the main process to a contextBridge in the preload.js so I can later get these vars from the JS code of my BrowserWindow.


index.js (MAIN PROCESS)

process.env.MY_SUPER_VAR = 'Hello'

preload.js

const { contextBridge } = require("electron");
contextBridge.exposeInMainWorld(
    "electron", {
        mySuperVar : process.env.MY_SUPER_VAR
    });

script.js (loaded later from page.html)

console.log(window.electron.mySuperVar);// 'Hello'

Is it a right way of doing it? Is it secure?
Any suggestions/advises/examples would be welcome. Thanks!

答案1

得分: 1

I'm the one who posted that comment you mentioned.

You can use process.env, but I'd recommend process.argv only for the reason that it's more in-line with the intended use of the property - (env is for environment-specific settings, argv are for application-specific settings), otherwise, they function in a similar enough way.

You can set argv values through the additionalArguments property on the BrowserWindow. As an example to refer to, I do this in my secure-electron-template repository.

Example

  win = new BrowserWindow({
    width: 800,
    height: 600,
    title: "Application is currently initializing...",
    webPreferences: {
      additionalArguments: [`--customValue=${value}`],
      preload: path.join(__dirname, "preload.js")
    }
  });

In your preload.js file you can pull the value out and use it as you like.

const arg = process.argv.filter(p => p.indexOf("--customValue=") >= 0)[0];
const argValue = arg.substr(arg.indexOf("=") + 1);

A word of caution, I'd recommend prefixing every element of additionalArguments with -- in order to pass the value correctly and also not include any \, it does not work when you do not follow these rules.

英文:

I'm the one who posted that comment you mentioned.

You can use process.env, but I'd recommend process.argv only for the reason that it's more in-line with the intended use of the property - (env is for environment-specific settings, argv are for application-specific settings), otherwise, they function in a similar enough way.

You can set argv values through the additionalArguments property on the BrowserWindow. As an example to refer to, I do this in my secure-electron-template repository.

Example

  win = new BrowserWindow({
    width: 800,
    height: 600,
    title: "Application is currently initializing...",
    webPreferences: {
      additionalArguments: [`--customValue=${value}`],
      preload: path.join(__dirname, "preload.js")
    }
  });

In your preload.js file you can pull the value out and use it as you like.

const arg = process.argv.filter(p => p.indexOf("--customValue=") >= 0)[0];
const argValue = arg.substr(arg.indexOf("=") + 1);

A word of caution, I'd recommend prefixing every element of additionalArguments with -- in order to pass the value correctly and also not include any \, it does not work when you do not follow these rules.

huangapple
  • 本文由 发表于 2023年4月19日 17:04:57
  • 转载请务必保留本文链接:https://go.coder-hub.com/76052661.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定