Security
Cong Liu edited this page Mar 30, 2016
·
14 revisions
NOTE: some content in this wiki applies only to 0.12 and earlier versions. For official documentation on 0.13 and later, see http://docs.nwjs.io
node-webkit adds Node.js support and enhancement in DOM for trusted code and content. For untrusted code and content, it should remain in a normal frame
or iframe
, which is the same as the one in browser. So there are 2 kinds of frames in node-webkit: Node frame
and normal frame
.
As application developer, one should keep in mind that contents should be loaded in correct frames.
Which frames are Node frames and which are not?
- iframes that have the attribute
nwdisable
are normal frames. (NOTE:nwfaketop
attribute should be specified withnwdisable
. The reason is in https://github.com/rogerwang/node-webkit/issues/534) - Local files, [app protocol](App protocol) frames (or remote sites when URL matches the
node-remote
field) are Node frames. (nodejs
field should not be set to false in this case) - Frames opened with
window.open
are normal frames when these flags are set:new-instance
=true
andnodejs
=false
What can Node frames do?
- Node support: access to
require
,global
,process
,Buffer
androot
from Node. - Universal access to other frames: this can get around all cross-domain security checks defined in DOM.
- Ignore
X-Frame-Options
headers for child frames. - Others listed in [Changes to DOM](Changes to dom)
nwdisable
is added in 0.5.0 rc2; nwfaketop
is added in 0.5.1