Context Isolation & Preload Scripts

In Electron, your application's user interface runs in a renderer process. This process is essentially a Chromium web page, meaning it's susceptible to common web vulnerabilities like Cross-Site Scripting (XSS).

• Malicious scripts injected into your web content could potentially gain access to powerful Node.js APIs.
• This direct access could lead to system-level operations being performed without your knowledge or consent.
• Protecting the renderer is crucial for app security.

Context Isolation is a fundamental security feature in Electron. When enabled, it ensures that the JavaScript context of your web page is completely separate from Electron's internal APIs and Node.js environment.

• It's like having two distinct JavaScript worlds within the same renderer process.
• One world for your web content, and another for Electron/Node.js.
• This separation prevents your web page's scripts from directly accessing sensitive APIs.

Good news: Context Isolation is enabled by default since Electron 12!