https://github.com/nwutils/limited-node-access-example

WIP: Example of a project with an iframe that has limited access to Node.js in NW.js
https://github.com/nwutils/limited-node-access-example

Last synced: 3 months ago
JSON representation

WIP: Example of a project with an iframe that has limited access to Node.js in NW.js

• Host: GitHub
• URL: https://github.com/nwutils/limited-node-access-example
• Owner: nwutils
• License: mit
• Created: 2020-10-20T16:12:16.000Z (over 5 years ago)
• Default Branch: main
• Last Pushed: 2023-08-31T12:45:19.000Z (almost 3 years ago)
• Last Synced: 2025-08-05T18:42:23.574Z (11 months ago)
• Homepage: https://nwutils.io
• Size: 7.81 KB
• Stars: 1
• Watchers: 1
• Forks: 0
• Open Issues: 0
• Metadata Files:
  • Readme: README.md
  • License: LICENSE
  • Code of conduct: CODE_OF_CONDUCT.md

Awesome Lists containing this project

README

          
# limited-node-access-example

Example of a project with an iframe that has limited access to Node.js in NW.js

**Two possible approaches:**

* `window.postMessage` ([MDN](https://developer.mozilla.org/en-US/docs/Web/API/Window/postMessage)) - Allows communication between a page and a pop-up it spawned, or between a page and an iframe embedded within it.

* Running a local webserver with custom routes that can be hit by any page. This has the security vulnerability of other applications running on the system being able to hit these routes too. So depending on what actions the routes perfom this could be bad, or not a big deal.

  * When embedding a page in an iframe for example, the URL used could have a one-time unique generated security token.

  * ``

  * Then both the parent and the child would know the one-time token, and the custom routes would only execute if the matching token was passed in. Increasing difficulty for attack vectors.

Pull Requests welcome to demo these approaches.