英文:
Using process.env to pass vars from main process to preload script in Electron - Good option?
问题
我正在开发一个用Electron封装的Web应用,尝试找到一种简单的方法将变量从主进程传递到preload.js,以便稍后可以从我的BrowserWindow中获取它。我知道可以使用IPC从主进程发送/接收数据到渲染器视图,但我发现这种方式有时对于获取简单数据来说有点复杂。此外,我不想将BrowserWindow的webPreferences.nodeIntegration设置为true,因为这可能会成为XSS攻击的漏洞。我找到了一种方法(如下)可以将变量从主进程传递到preload.js中的contextBridge,以便稍后可以从我的BrowserWindow的JS代码中获取这些变量。
index.js(主进程)
process.env.MY_SUPER_VAR = 'Hello'
preload.js
const { contextBridge } = require("electron");
contextBridge.exposeInMainWorld(
"electron", {
mySuperVar : process.env.MY_SUPER_VAR
});
script.js(稍后从page.html加载)
console.log(window.electron.mySuperVar); // 'Hello'
这样做是正确的吗?这安全吗?任何建议/建议/示例都将不胜感激。谢谢!
英文:
I'm working on a webapp wrapped with Electron and I'm trying to find an easy way to pass vars from main process to preload.js so I could later get it from my BrowserWindow.
I know we can use IPC to send/receive datas from main process to the renderer view but I found this way sometimes too complex for just getting simple data.
Also, I don't want to set the BrowserWindow webPreferences.nodeIntegration to true because this can be a crack for XSS attack such as explained here.
I found a way (below) to pass vars from the main process to a contextBridge in the preload.js so I can later get these vars from the JS code of my BrowserWindow.
index.js (MAIN PROCESS)
process.env.MY_SUPER_VAR = 'Hello'
preload.js
const { contextBridge } = require("electron");
contextBridge.exposeInMainWorld(
"electron", {
mySuperVar : process.env.MY_SUPER_VAR
});
script.js (loaded later from page.html)
console.log(window.electron.mySuperVar);// 'Hello'
Is it a right way of doing it? Is it secure?
Any suggestions/advises/examples would be welcome. Thanks!
答案1
得分: 1
I'm the one who posted that comment you mentioned.
You can use process.env, but I'd recommend process.argv only for the reason that it's more in-line with the intended use of the property - (env is for environment-specific settings, argv are for application-specific settings), otherwise, they function in a similar enough way.
You can set argv values through the additionalArguments property on the BrowserWindow. As an example to refer to, I do this in my secure-electron-template repository.
Example
win = new BrowserWindow({
width: 800,
height: 600,
title: "Application is currently initializing...",
webPreferences: {
additionalArguments: [`--customValue=${value}`],
preload: path.join(__dirname, "preload.js")
}
});
In your preload.js file you can pull the value out and use it as you like.
const arg = process.argv.filter(p => p.indexOf("--customValue=") >= 0)[0];
const argValue = arg.substr(arg.indexOf("=") + 1);
A word of caution, I'd recommend prefixing every element of additionalArguments with -- in order to pass the value correctly and also not include any \, it does not work when you do not follow these rules.
英文:
I'm the one who posted that comment you mentioned.
You can use process.env, but I'd recommend process.argv only for the reason that it's more in-line with the intended use of the property - (env is for environment-specific settings, argv are for application-specific settings), otherwise, they function in a similar enough way.
You can set argv values through the additionalArguments property on the BrowserWindow. As an example to refer to, I do this in my secure-electron-template repository.
Example
win = new BrowserWindow({
width: 800,
height: 600,
title: "Application is currently initializing...",
webPreferences: {
additionalArguments: [`--customValue=${value}`],
preload: path.join(__dirname, "preload.js")
}
});
In your preload.js file you can pull the value out and use it as you like.
const arg = process.argv.filter(p => p.indexOf("--customValue=") >= 0)[0];
const argValue = arg.substr(arg.indexOf("=") + 1);
A word of caution, I'd recommend prefixing every element of additionalArguments with -- in order to pass the value correctly and also not include any \, it does not work when you do not follow these rules.
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论