Accessing the node.js process internally and externally in Electron


#1

Hi – sorry if this is addressed somewhere, I spent some time googling for it to no avail.

I’m curious, for a deployed Electron app, if the node.js process can be accessed from another process outside of the application.

And that leads to the next question – how does the front-end part of the Electron app access the node.js back-end? Is it via a socket?

Thanks!


#2

You’ll have to clarify what you mean by

node.js process can be accessed from another process outside of the application

There is no front-end or back-end in Electron, there are renderer processes (that can display HTML pages) and a browser process to wrangle them (that can display native dialogs). Each one of those processes has it’s own distinct Node runtime. The renderer processes communicate with the browser process via Chromium’s IPC which is implemented using a named pipe on Windows, and Unix domain sockets on Linux/OSX.


#3

Hey enlight,

Thanks for the quick response! I see I have a lot to learn about Electron.

My thinking was that if the node (thinking of a traditional web server, I guess this is the renderer?) process being “contacted” by browsers other than the one in the Electron process. If that’s not possible, then a lot of XSS, CSRF, etc. attacks and other data validation issues will be lessened (I will definitely be verifying inputs, of course).

Again, thanks for the informative reply. You’ve lived up to your username :slight_smile:


#4

Electron is not a web server, it’s a browser, and by default it provides HTML documents with unrestricted access to the local machine via JavaScript. Electron itself doesn’t spin up an HTTP server at any point because it merely loads and renders HTML documents, it doesn’t serve them. However, nothing is stopping you from spinning up a Node web server of some sort inside an Electron process or in some background process. Fortunately you seem to be aware that there are huge security implications in spinning up a local HTTP server, and one ought to be very careful so as not to rehash the mistakes of Trend Micro.