electron-pdf
electron-pdf copied to clipboard
fraserxu
Disable nodeIntegration by default
Currently, the BrowserWindow.webPreferences.nodeIntegration option is left by default to the electron default which is true.
This means that the nodejs integration in the browser window context is enabled by default.
The consequences are both a major security issue and a usage issue.
- A major security issue because capturing an online web page allow to the web page to execute arbitrary nodejs code on the client side.
Example: when executing Readme exmple command line
electron-pdf https://fraserxu.me ~/Desktop/fraserxu.pdf, thefraserxu.mewebsite (or its javascript dependencies) can execute arbitrary code on my computer. This could be data steal / drop, malware install or whatever.
- A usage issue because when nodeIntegration is enabled, a lot of libraries are broken due to conflict between nodejs require and javascript/requirejs require.
Example: any website with jquery included with a script tag will not work. This is very hard to debug when not understanding underlying electron principles.
The default setting should be changed to nodeIntegration: false. This may be a broken change so the major version number should be bumped.
In the meantime (and for users that would stick with the current version), these issues should be documented.
Thanks for pointing this out. I will tag it for the next major release. Until then, this can be disabled using the --browserConfig option.
Example: --browserConfig '{ "webPreferences": { "nodeIntegration": false}}'
