{ "id": "ba2a0fd8-e353-4ba3-b68a-09617e7bc5d2", "created_at": "2026-04-06T00:17:27.593632Z", "updated_at": "2026-04-10T03:20:24.556821Z", "deleted_at": null, "sha1_hash": "0eee35658a4b0a8d284675f4fd7ad3f87865e7da", "title": "Why do I see an \"Electron Security Warning\" after updating my Electron project to the latest version?", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 45950, "plain_text": "Why do I see an \"Electron Security Warning\" after updating my\r\nElectron project to the latest version?\r\nBy Un1\r\nPublished: 2018-02-18 ยท Archived: 2026-04-05 22:27:49 UTC\r\nYou're having this:\r\nElectron Security Warning This renderer process has Node.js integration enabled and attempted to load\r\nremote content. This exposes users of this app to severe security risks.\r\nBecause from the 2nd Security Recommendations from Electron Documentation\r\n2) Disable Node.js Integration for Remote Content\r\nIt is paramount that you disable Node.js integration in any renderer (BrowserWindow, BrowserView, or WebView)\r\nthat loads remote content. The goal is to limit the powers you grant to remote content, thus making it dramatically\r\nmore difficult for an attacker to harm your users should they gain the ability to execute JavaScript on your\r\nwebsite.\r\nAfter this, you can grant additional permissions for specific hosts. For example, if you are opening a\r\nBrowserWindow pointed at \"https://my-website.com/\", you can give that website exactly the abilities it needs, but\r\nno more.\r\nWhy?\r\nA cross-site-scripting (XSS) attack is more dangerous if an attacker can jump out of the renderer process and\r\nexecute code on the user's computer. Cross-site-scripting attacks are fairly common - and while an issue, their\r\npower is usually limited to messing with the website that they are executed on. Disabling Node.js integration helps\r\nprevent an XSS from being escalated into a so-called \"Remote Code Execution\" (RCE) attack.\r\nHow?\r\n// Bad\r\nconst mainWindow = new BrowserWindow()\r\nmainWindow.loadURL('https://my-website.com')\r\n// Good\r\nconst mainWindow = new BrowserWindow({\r\n webPreferences: {\r\n nodeIntegration: false,\r\n preload: './preload.js'\r\n }\r\nhttps://stackoverflow.com/questions/48854265/why-do-i-see-an-electron-security-warning-after-updating-my-electron-project-t\r\nPage 1 of 2\n\n})\r\nmainWindow.loadURL('https://my-website.com')\r\n\u003c!-- Bad --\u003e\r\n\u003cwebview nodeIntegration src=\"page.html\"\u003e\u003c/webview\u003e\r\n\u003c!-- Good --\u003e\r\n\u003cwebview src=\"page.html\"\u003e\u003c/webview\u003e\r\nWhen disabling Node.js integration, you can still expose APIs to your website that do consume Node.js modules\r\nor features. Preload scripts continue to have access to require and other Node.js features, allowing developers to\r\nexpose a custom API to remotely loaded content.\r\nIn the following example preload script, the later loaded website will have access to a window.readConfig()\r\nmethod, but no Node.js features.\r\nconst { readFileSync } = require('fs')\r\nwindow.readConfig = function () {\r\n const data = readFileSync('./config.json')\r\n return data\r\n}\r\nTherefore you're been warned so that you can Disable Node.js Integration for Remote Content.\r\nI hope this helps answer your question.\r\nSource: https://stackoverflow.com/questions/48854265/why-do-i-see-an-electron-security-warning-after-updating-my-electron-project-t\r\nhttps://stackoverflow.com/questions/48854265/why-do-i-see-an-electron-security-warning-after-updating-my-electron-project-t\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "references": [ "https://stackoverflow.com/questions/48854265/why-do-i-see-an-electron-security-warning-after-updating-my-electron-project-t" ], "report_names": [ "why-do-i-see-an-electron-security-warning-after-updating-my-electron-project-t" ], "threat_actors": [], "ts_created_at": 1775434647, "ts_updated_at": 1775791224, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/0eee35658a4b0a8d284675f4fd7ad3f87865e7da.pdf", "text": "https://archive.orkl.eu/0eee35658a4b0a8d284675f4fd7ad3f87865e7da.txt", "img": "https://archive.orkl.eu/0eee35658a4b0a8d284675f4fd7ad3f87865e7da.jpg" } }