Webview and iframe unusable for my case?


#1

Hi;

I’m trying to move from node-webkit to atom-electron.
I have to insert user content in my app and interact with it, and avoid security issues.

In node-webkit; I used an iframe, which I inserted a script.js with the inject-js-start method. This allowed safe communication via window.postMessage(), and with node integration disabled it was completely safe to use.

Here in atom electron; I did not find a solution for this problem:

If I use a webview: It lets me inject a script, but avoids me any communication if I refuse to add node context in the webview …

If I use an iframe: There is no method for script injection, so I can’t communicate from the iframe to the main application.

Do anyone have an idea ? Informations to share ? A solution ? Thanks !


#2

You can get node modules in a Web view by adding the nodeintegration attribute to the webview tag, then use the require function to use of node modules.


#3

If I do that, the user will be able to execute nodejs code, which I want to avoid.


#4

You can just require('ipc') or require('electron').ipcRenderer for v0.35.0 and no other nodeintegration with webview preload scripts.
http://electron.atom.io/docs/v0.35.0/api/web-view-tag/#preload