Not compatible with default sandbox mode of Electron 20+

[jthrilly]

trafficstars

Since Electron 20, the sandbox option of window webPreferences has been set to true by default. This means that preload scripts can only use a small subset of the Electron and Node APIs. Specifically, require is polyfilled with a version that will only allow requiring a small subset of node core modules.

This causes a problem for this lib, since we need to require electron-trpc/main in the preload script, and then call exposeElectronTRPC().

Disabling the sandbox of course resolves this issue, but at the cost of losing the security benefits of sandboxing.

After a quick think about this I have two potential solutions:

1. Advise users to process and bundle their preload script. This would inline the import of the constants, leaving only the allowed contextBridge code. This should be a documentation only change, perhaps based on a sample vite-plugin-electron config.
2. Remove ELECTRON_TRPC_CHANNEL and make it up to the user to configure an appropriate and consistent channel across main, preload, and renderer. Then supply a copy/paste snippet for the preload file that only uses the contextBridge API. It would be helpful to export the RendererGlobalElectronTRPC type so consumers could at least match up with some sort of package API.

There may be other options I haven't considered.

Thanks for creating such a useful lib!

[jsonnull]

Hey, thanks for the thorough detail here and the considerations for fixing this. It seems to me that both of these solutions could be available going forward, where users pre-processing their preload file could use the current export, and users that are authoring a preload file directly could use a snippet.

I'm going to work on adding an example that's non-vite to the examples which should demonstrate the issue, and make the requisite changes.

Thanks again!

[MiniSuperDev]

Hello, any update on this? :)