Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Lack of ContextIsolation & Insecure Preload

See original GitHub issue

You should also avoid exposing any IPC objects directly to the DOM from the preload script, though without ContextIsolation it’s trivial to escape the sandbox using prototype pollution attacks.

There’s a couple different ways to approach this, my solution is detailed here but certainly isn’t the only way to address the problem.

Issue Analytics

  • State:closed
  • Created 4 years ago
  • Comments:5 (3 by maintainers)

github_iconTop GitHub Comments

1reaction
MarshallOfSoundcommented, Jan 15, 2020

@reZach That commit just blanket exposes all of ipcRenderer, as I outlined in my comment you linked above the safe thing to do here is expose the minimal required API surface. In it’s current state anything in the main context can send / listen for any ipc message.

0reactions
reZachcommented, Jan 16, 2020

Thanks @moloch-- and @MarshallOfSound. If you are interested, I’ve updated my i18next-electron-fs-backend repo with the following commit that I think adequately limits the channels the ipcRenderer/ipcMain can communicate on.

This change accomplishes a few things I was looking for:

  1. Keeping the channel keys in the package itself.
  2. Only allows the channel keys defined in the package for communication between the main and renderer processes.
  3. Allows the user to write nice bindings in the preload.js and main.js scripts to hook everything up.

I was considering a nonce or secret key or some other form of anti-tampering but I couldn’t/didn’t want to do that tonight so we (I) can table it unless the community feels its pressing to add. If you have more concerns I can re-open this issue.

Thanks both for your feedback!

Read more comments on GitHub >

github_iconTop Results From Across the Web

Preloading Insecurity In Your Electron - Doyensec
Subverting Apps via Insecure Preload ... This flag introduces JavaScript context isolation for ... Lack of isolated words by default (contextIsolation).
Read more >
Preloading Insecurity In Your Electron - YouTube
It's time to shift gears. In this presentation, we will discuss a relatively unexplored class of vulnerabilities that can turn a boring XSS ......
Read more >
Context Isolation - Electron
Context Isolation is a feature that ensures that both your preload scripts and Electron's internal logic run in a separate context to the...
Read more >
Should I use Context Isolation with my Electron App
I got my application to work with contextIsolation on by using contextBridge . Here's my main.js webPreferences with the preload script:
Read more >
Security, Native Capabilities, and Your Responsibility | Electron
In other words, do not use insecure protocols like HTTP . ... Context isolation is an Electron feature that allows developers to run...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

Unable to use styled-components

Next page

Compatibility with React 18?