[Discussion] Changing the defaults for nodeIntegration and contextIsolation to improve the default security posture of Electron applications

[MarshallOfSound]

Planned Changes

Change the default of contextIsolation from false to true

Without contextIsolation any code running in a renderer process can quite easily reach into Electron internals or your preload script and perform privileged actions that you don't want arbitrary websites to be doing.

For more information on contextIsolation, how to enable it easily and it's security benefits please see our dedicated Context Isolation Document.

We're making this change to improve the default security of Electron apps so that your app is only insecure if you have deliberately opted in to the insecure behaviour.

Timeline

• Deprecate the current default of contextIsolation in Electron 10
• Change to the new default (true) in Electron 12

Remove the nodeIntegration flag completely

Historically we have recommended that apps use nodeIntegration: false to prevent renderers from having access to Electron internals or the require function. Over time it has become clear that this flag actually has negligible security impact and can easily be bypassed. This was the original motivation for adding the contextIsolation flag.

We are now confident enough in the contextIsolation feature that we intend to remove the misleading nodeIntegration flag and instead strongly recommend usage of contextIsolation.

Timeline

• Deprecate the flag and instruct folks to use contextIsolation: true instead of nodeIntegration: false in Electron 10
• Remove the flag and any effect it had in Electron 12

[reZach]

This is marked as discussion, so I hope I'm allowed to post, if not, please limit to just collaborators.

I feel this is a good change, but not many are prepared for. There are a lot of packages/templates that make use of remote and do not use IPC to talk between the processes. I've built a template that's supportive of this change, but I feel a lot will be discussing once this change is implemented.

[PalmerAL]

I'm not sure if this has been discussed anywhere (or if I'm not thinking through it correctly), but it does seem like there's a scenario in which:

• You're creating a webContents with nodeIntegration: false, contextIsolation: false in an old Electron version.
• You upgrade directly from an old version to 12, or you don't read the deprecation warnings in the intermediate versions.

The effect would be that node integration would be silently enabled in your app after the upgrade, which would potentially cause severe security issues. (I suppose that wouldn't matter if nodeIntegration can already be bypassed, but as far as I know it's still reasonably secure as long as you don't have a preload script).

As a solution for this, would it be possible to check if nodeIntegration: false is set on a webContents, and throw an error (and not create the contents) if it is?

[MarshallOfSound]

That's a reasonable point, I don't think many people would explicitly say contextIsolation: false but we should probably handle that in some way @nornagon

[nornagon]

nodeIntegration: false is not very much protection at all. I spent an hour this morning looking and found at least one attack vector that provides access to internal methods that nodeIntegration: false doesn't protect against. Ultimately, there is no reliable way to make having node and web content in the same context safe. If you care at all about security, contextIsolation: true is the way to go (and, ideally, sandbox: true as well).

I can imagine throwing on nodeIntegration: false being a better way of alerting to the developer that they need to change something, though!

[pushkin-]

@MarshallOfSound From some previous discussion with you, you mentioned that contextIsolation should be enabled for all BrowserWindows/BrowserViews regardless of whether it has a preload script or not. You told me that it should be enabled even when loading only local content.

The docs currently make it seems like this is only useful when there's a preload script, or you're loading a URL. Should they be updated to indicate that it should be on everywhere (even though that will be the default behavior anyway)

[ivanjeremic]

Does this mean Native modules will not work anymore in electron? I just added contextIsolation: false, to make it work again but got same error. Loading non-context-aware native module in renderer:

[nornagon]

Does this mean Native modules will not work anymore in electron?

No.

Loading non-context-aware native module

See #18397

[ivanjeremic]

Does this mean Native modules will not work anymore in electron?

No.

Loading non-context-aware native module

See #18397

This doesn't help.

[Prinzhorn]

Sounds like a great change to me. I'm always for security-by-default and always wondered why nodeIntegration exists to begin with.

Anyway, what about nodeIntegrationInSubFrames? I feel like this would've been a great moment to normalize it as well. There's a lot of discussion about it in #22582. It is ill named and has the side effect of enabling preload in subframes. It looks like this was one of the intentions but the name doesn't reflect that. When nodeIntegration is removed it only makes sense to remove it's sibling nodeIntegrationInSubFrames as well. And instead rename it to preloadInSubFrame (as a boolean) or even framePreload (pointing to a script to be used as preload in frames). And also make sure it doesn't actually enable node integration but only preload.

Same with nodeIntegrationInWorker btw. It'd be weird to keep them around (at least with the same name) when nodeIntegration is removed.