Se ha descubierto una vulnerabilidad de ejecución de un código remoto la cual afecta aplicaciones con la capacidad de abrir ventanas anidadas hijas en versiones de Electron (3.0.0-beta.6, 2.0.7, 1.8.7, and 1.7.15). La vulnerabilidad ha sido asignada al identificador CVE CVE-2018-15685.

Plataformas afectadas​

Esto te afecta si:

1. Has incrustado cualquier contenido de usuario remoto, incluso en una sandbox
2. Aceptas inputs de usuario con cualquier vulnerabilidad XSS

Detalles

Esto te afecta si cualquier código de usuario se ejecuta dentro de iframe / si puede crear un iframe. Dada la posibilidad de una vulnerabilidad XSS, se puede asumir que la mayoría de aplicaciones son vulnerables a este caso.

Esto te afecta si abres cualquiera de tus ventanas con las opciones nativeWindowOpen: true o sandbox: true. A pesar de que esta vulnerabilidad también requiere que exista una vulnerabilidad XSS en tu aplicación, deberías aplicar una de las mitigaciones de abajo si utilizas alguna de estas opciones.

Mitigación​

We've published new versions of Electron which include fixes for this vulnerability: 3.0.0-beta.7, 2.0.8, 1.8.8, and 1.7.16. Le pedimos a todos los desarrolladores de Electron a que actualicen sus aplicaciones a la más reciente versión estable ahora mismo.

If for some reason you are unable to upgrade your Electron version, you can protect your app by blanket-calling event.preventDefault() on the new-window event for all webContents'. Si no utilizas window.open o ninguna ventana hija en absoluto, entonces esta también es una mitigación válida para tu aplicación.

mainWindow.webContents.on('new-window', (e) => e.preventDefault());

Si dependes de la capacidad de tus ventanas hijas para crear ventanas de nietos, entonces una tercera estrategia de mitigación requiere utilizar el siguiente código en tu ventana de nivel superior:

const enforceInheritance = (topWebContents) => {
  const handle = (webContents) => {
    webContents.on(
      'new-window',
      (event, url, frameName, disposition, options) => {
        if (!options.webPreferences) {
          options.webPreferences = {};
        }
        Object.assign(
          options.webPreferences,
          topWebContents.getLastWebPreferences(),
        );
        if (options.webContents) {
          handle(options.webContents);
        }
      },
    );
  };
  handle(topWebContents);
};

enforceInheritance(mainWindow.webContents);

Este código forzará manualmente las ventanas de nivel superior (webPreferences) sean aplicadas a todas las ventanas hijas de manera infinitamente profunda.

Más información​

Esta vulnerabilidad fue encontrada y reportada responsablemente al proyecto Electron por Matt Austin de Contrast Security.

Para aprender más sobre las buenas prácticas para mantener tus aplicaciones Electron seguras, ve nuestro tutorial de seguridad.

Si quieres reportar una vulnerabilidad de Electron, envía un correo electrónico a security@electronjs.org.

The Electron website has a new search engine that delivers instant results for API docs, tutorials, Electron-related npm packages, and more.

Learning a new technology or framework like Electron can be intimidating. Once you get past the quick-start phase, it can be difficult to learn best practices, find the right APIs, or discover the tools that will help you build the app of your dreams. We want the Electron website to be a better tool for finding the resources you need to build apps faster and more easily.

Visit any page on electronjs.org and you'll find the new search input at the top of the page.

The Search Engine​

When we first set about adding search to the website, we rolled our own search engine using GraphQL as a backend. GraphQL was fun to work with and the search engine was performant, but we quickly realized that building a search engine is not a trivial task. Things like multi-word search and typo detection require a lot of work to get right. Rather than reinventing the wheel, we decided to use an existing search solution: Algolia.

Algolia is a hosted search service that has quickly become the search engine of choice among popular open source projects like React, Vue, Bootstrap, Yarn, and many others.

Here are some of the features that made Algolia a good fit for the Electron project:

• InstantSearch.js provides results as you type, usually in about 1ms.
• Tolerancia tipográfica significa que todavía obtendrás resultados incluso cuando escribas widnow.
• Advanced query syntax enables "exact quoted matches" and -exclusion.
• API clients are open source and with well-documented.
• Analytics tell us what people are searching for most, as well as what they're searching for but not finding. This will give us valuable insight into how Electron's documentation can be improved.
• Algolia is free for open source projects.

API Docs​

Sometimes you know what you want to accomplish, but you don't know exactly how to do it. Electron has over 750 API methods, events, and properties. No human can easily remember all of them, but computers are good at this stuff. Using Electron's JSON API docs, we indexed all of this data in Algolia, and now you can easily find the exact API you're looking for.

Trying to resize a window? Busca [redimensionar] y salta directamente al método que necesitas.

Tutoriales​

Electron has an ever-growing collection of tutorials to complement its API documentation. Now you can more easily find tutorials on a given topic, right alongside related API documentation.

Looking for security best practices? Search for security.

npm Packages​

There are now over 700,000 packages in the npm registry and it's not always easy to find the one you need. To make it easier to discover these modules, we've created electron-npm-packages, a collection of the 3400+ modules in the registry that are built specifically for use with Electron.

La gente de Bibliotecas. o han creado SourceRank, un sistema para anotar proyectos de software basado en una combinación de métricas como código, comunidad, documentación y uso. Hemos creado un módulo [sourceranks] que incluye la puntuación de cada módulo en el registro npm, y nosotros usamos estas puntuaciones para ordenar los resultados del paquete.

Want alternatives to Electron's built-in IPC modules? Buscar [es:paquete ipc].

Aplicaciones de Electron​

It's easy to index data with Algolia, so we added the existing apps list from electron/apps.

Prueba a buscar [music] o [homebrew].

Filtering Results​

If you've used GitHub's code search before, you're probably aware of its colon-separated key-value filters like extension:js or user:defunkt. We think this filtering technique is pretty powerful, so we've added an is: keyword to Electron's search that lets you filter results to only show a single type:

• is:api thumbnail
• is:tutorial security
• is:package ipc
• is:app graphql

Keyboard Navigation​

People love keyboard shortcuts! The new search can be used without taking your fingers off the keyboard:

• / focuses the search input
• esc focuses the search input and clears it
• down moves to the next result
• up moves to the previous result, or the search input
• enter opens a result

We also open-sourced the module that enables this keyboard interaction. It's designed for use with Algolia InstantSearch, but is generalized to enable compatibility with different search implementations.

We want your feedback​

If you encounter any issues with the new search tool, we want to hear about it!

The best way to submit your feedback is by filing an issue on GitHub in the appropriate repository:

• electron/electronjs.org is the Electron website. If you don't know where to file an issue, this your best bet.
• electron/algolia-indices is where all the searchable Electron data is compiled.
• electron/search-with-your-keyboard makes the search interface navigable by keyboard.
• algolia/instantsearch.js is the browser-side client that enables find-as-you-type search.
• algolia/algoliasearch-client-javascript is the Node.js client for uploading data to Algolia's servers.

Thanks​

Special thanks to Emily Jordan and Vanessa Yuen for building these new search capabilities, to Libraries.io for providing SourceRank scores, and to the team at Algolia for helping us get started. 🍹

Ever since the launch of the new internationalized Electron website, we have been working hard to make the Electron development experience even more accessible to developers outside of the English speaking world.

So here we are with some exciting i18n updates!

🌐 Language Toggle​

Did you know that many people who read translated documentation often cross reference that with the original English documentation? They do this to familiarize themselves with English docs, and to avoid outdated or inaccurate translations, which is one caveat of internationalized documentations.

To make cross-referencing to English docs easier, we recently shipped a feature that allows you to seamlessly toggle a section of the Electron documentation between English and whatever language you're viewing the website in. The language toggle will show up as long as you have a non-English locale selected on the website.

⚡️ Quick Access to Translation Page​

Notice a typo or an incorrect translation while you're reading the documentation? You no longer have to log in to Crowdin, pick your locale, find the file you'd like the fix, etc etc. Instead, you can just scroll down to the bottom of the said doc, and click "Translate this doc" (or the equivalent in your language). Voila! You are brought straight to the Crowdin translation page. Now apply your translation magic!

📈 Some Statistics​

Ever since we have publicized the Electron documentation i18n effort, we have seen huge growth in translation contributions from Electron community members from all around the world. To date, we have 1,719,029 strings translated, from 1,066 community translators, and in 25 languages.

Here is a fun graph showing the approximate amount of time needed to translate the project into each language if the existing tempo (based on the project activity during the last 14 days at the time of writing) is preserved.

📃 Translator Survey​

We would like to give a huge ❤️ thank you ❤️ to everyone who has contributed their time to help improving Electron! In order to properly acknowledge the hard work of our translator community, we have created a survey to collect some information (namely the mapping between their Crowdin and Github usernames) about our translators.

If you are one of our incredible translators, please take a few minutes to fill this out: https://goo.gl/forms/b46sjdcHmlpV0GKT2.

🙌 Node's Internationalization Effort​

Because of the success of Electron's i18n initiative, Node.js decided to model their revamped i18n effort after the pattern we use as well! 🎉 The Node.js i18n initiative has now been launched and gained great momentum, but you can stil read about the early proposal and reasoning behind it here.

🔦 Contributing Guide​

If you're interested in joining our effort to make Electron more international friendly, we have a handy-dandy contributing guide to help you get started. Happy internationalizing! 📚

After more than four months of development, eight beta releases, and worldwide testing from many apps' staged rollouts, the release of Electron 2.0.0 is now available from electronjs.org.

Release Process​

Starting with 2.0.0, Electron's releases will follow semantic versioning. This means the major version will bump more often and will usually be a major update to Chromium. Patch releases should be more stable because they will contain only high-priority bug fixes.

Electron 2.0.0 also represents an improvement to how Electron is stabilized before a major release. Several large scale Electron apps have included 2.0.0 betas in staged rollouts, providing the best feedback loop Electron's ever had for a beta series.

Changes / New Features​

• Major bumps to several important parts of Electron's toolchain, including Chrome 61, Node 8.9.3, V8 6.1.534.41, GTK+ 3 on Linux, updated spellchecker, and Squirrel.
• In-app purchases are now supported on MacOS. #11292
• New API for loading files. #11565
• New API to enable/disable a window. #11832
• New API app.setLocale(). #11469
• New support for logging IPC messages. #11880
• New menu events. #11754
• Add a shutdown event to powerMonitor. #11417
• Add affinity option for gathering several BrowserWindows into a single process. #11501
• Add the ability for saveDialog to list available extensions. #11873
• Support for additional notification actions #11647
• The ability to set macOS notification close button title. #11654
• Add conditional for menu.popup(window, callback)
• Memory improvements in touchbar items. #12527
• Improved security recommendation checklist.
• Add App-Scoped Security scoped bookmarks. #11711
• Add ability to set arbitrary arguments in a renderer process. #11850
• Add accessory view for format picker. #11873
• Fixed network delegate race condition. #12053
• Drop support for the mips64el arch on Linux. Electron requires the C++14 toolchain, which was not available for that arch at the time of the release. We hope to re-add support in the future.

Breaking API changes​

• Removed deprecated APIs, including:
  • Changed menu.popup signature. #11968
  • Eliminado obsoleto crashReporter.setExtraParameter #11972
  • Removed deprecated webContents.setZoomLevelLimits and webFrame.setZoomLevelLimits. #11974
  • Removed deprecated clipboard methods. #11973
  • Removed support for boolean parameters for tray.setHighlightMode. #11981

Bug Fixes​

• Changed to make sure webContents.isOffscreen() is always available. #12531
• Fixed BrowserWindow.getFocusedWindow() when DevTools is undocked and focused. #12554
• Fixed preload not loading in sandboxed render if preload path contains special chars. #12643
• Correct the default of allowRunningInsecureContent as per docs. #12629
• Fixed transparency on nativeImage. #12683
• Fixed issue with Menu.buildFromTemplate. #12703
• Confirmed menu.popup options are objects. #12330
• Removed a race condition between new process creation and context release. #12361
• Update draggable regions when changing BrowserView. #12370
• Fixed menubar toggle alt key detection on focus. #12235
• Fixed incorrect warnings in webviews. #12236
• Fixed inheritance of 'show' option from parent windows. #122444
• Ensure that getLastCrashReport() is actually the last crash report. #12255
• Fixed require on network share path. #12287
• Fixed context menu click callback. #12170
• Fixed popup menu position. #12181
• Improved libuv loop cleanup. #11465
• Fixed hexColorDWORDToRGBA for transparent colors. #11557
• Fixed null pointer dereference with getWebPreferences api. #12245
• Fixed a cyclic reference in menu delegate. #11967
• Fixed protocol filtering of net.request. #11657
• WebFrame.setVisualZoomLevelLimits now sets user-agent scale constraints #12510
• Set appropriate defaults for webview options. #12292
• Improved vibrancy support. #12157 #12171 #11886
• Fixed timing issue in singleton fixture.
• Fixed broken production cache in NotifierSupportsActions()
• Made MenuItem roles camelCase-compatible. #11532
• Improved touch bar updates. #11812, #11761.
• Removed extra menu separators. #11827
• Fixed Bluetooth chooser bug. Closes #11399.
• Fixed macos Full Screen Toggle menu item label. #11633
• Improved tooltip hiding when a window is deactivated. #11644
• Migrated deprecated web-view method. #11798
• Fixed closing a window opened from a browserview. #11799
• Fixed Bluetooth chooser bug. #11492
• Updated to use task scheduler for app.getFileIcon API. #11595
• Changed to fire console-message event even when rendering offscreen. #11921
• Fixed downloading from custom protocols using WebContents.downloadURL. #11804
• Fixed transparent windows losing transparency when devtools detaches. #11956
• Fixed Electron apps canceling restart or shutdown. #11625

macOS​

• Fixed event leak on reuse of touchbar item. #12624
• Fixed tray highlight in darkmode. #12398
• Fixed blocking main process for async dialog. #12407
• Fixed setTitle tray crash. #12356
• Fixed crash when setting dock menu. #12087

Linux​

• Better Linux desktop notifications. #12229 #12216 #11965 #11980
• Better GTK+ theme support for menus. #12331
• Exit gracefully on linux. #12139
• Use the app’s name as the tray icon's default tooltip. #12393

Windows​

• Added Visual Studio 2017 support. #11656
• Fixed passing of exception to the system crash handler. #12259
• Fixed hiding tooltip from minimized window. #11644
• Fixed desktopCapturer to capture the correct screen. #11664
• Fixed disableHardwareAcceleration with transparency. #11704

What's Next

The Electron team is hard at work to support newer versions of Chromium, Node, and v8. Expect 3.0.0-beta.1 soon!

Hoy estamos lanzando gratis de código abierto, webservice de actualizaciones y compañero del paquete npm para habilitar actualizaciones automáticas fáciles para aplicaciones de código abierto de Electron. Este es un paso hacia empoderar a los desarrolladores de aplicaciones para pensar menos sobre despliegue y más sobre el desarrollo de experiencias de alta calidad para sus usuarios.

Facilitar la vida​

Electron tiene una API de autoUpdater que le da a las aplicaciones la capacidad de consumir metadatos desde un endpoint remoto para comprobar actualizaciones, descargarlos en segundo plano e instalarlos automáticamente.

Habilitando estas actualizaciones ha sido un paso engorroso en el proceso de despliegue para muchos desarrolladores de aplicaciones Electron porque requiere que un servidor web sea desplegado y mantenido sólo para servir metadatos del historial de versiones de aplicaciones.

Hoy estamos anunciando una nueva solución para actualizaciones automáticas de aplicaciones. Si su aplicación Electron está en un repositorio público de GitHub y está usando GitHub Releases para publicar compilaciones, puedes usar este servicio para entregar actualizaciones continuas de aplicaciones a tus usuarios.

Usando el nuevo módulo​

Para minimizar la configuración de tu parte, hemos creado update-electron-app, un módulo npm que se integra con el nuevo webservice update.electronjs.org.

Instala el módulo:

npm install update-electron-app

Llámala desde cualquier lugar en el proceso principal de tu aplicación:

require('update-electron-app')();

¡Listo! El módulo comprobará si hay actualizaciones al iniciar la aplicación, cada diez minutos. Cuando se encuentra una actualización, se descargará automáticamente en segundo plano, y se mostrará un diálogo cuando la actualización esté lista.

Migrando aplicaciones existentes​

Las aplicaciones que ya usan la API autoUpdater de Electron también pueden usar este servicio. Para ello, puede personalizar el módulo update-electron-app o integrar directamente con update.electronjs.org.

Alternativas​

Si estás usando electron-builder para empaquetar tu aplicación, puedes usar su actualizador integrado. Para más detalles, vea electron.build/auto-update.

Si tu aplicación es privada, puede que necesites ejecutar tu propio servidor de actualizaciones. Hay un número de herramientas de código abierto para esto, incluyendo Zeit's Hazel y Atlassian Nucleus. Vea el tutorial Desplegando un servidor de actualización para más información.

Thanks​

Gracias a Julian Gruber por ayudar a diseñar y construir este servicio web simple y escalable. Gracias a la gente de Zeit por su servicio de código abierto Hazel, de la que dibujamos inspiración en el diseño. Gracias a Samuel Attard por las revisiones del código. Gracias a la comunidad Electron por ayudar a probar este servicio.

🌲 ¡Aquí hay un futuro perenne para las aplicaciones de Electrón!

La nueva línea de lanzamiento Electron 2.0 es empaquetada con nuevas características y arreglos. Uno de los puntos destacados de esta nueva versión principal es una nueva API inAppPurchase para el Mac App Store de Apple.

Las compras dentro de la aplicación permite que el contenido o las suscripciones se compren directamente desde las aplicaciones. Esto le proporciona a los desarrolladores una manera sencilla de adherirse al modelo de negocio freemium, donde los usuarios no deben pagar para descargar una aplicación y se les ofrecen compras opcionales dentro de la aplicación para obtener características premium, contenido adicional o suscripciones.

Esta nueva API fue agregada a Electron por el colaborador comunitario Adrien Fery para habilitar las compras dentro de la aplicación en Amanote, una aplicación de Electron para tomar notas de lecturas y conferencias. La descarga de Amanote es gratuita y permite que agregar notas claras y estructuradas en archivos PDF, con características como fórmulas matemáticas, dibujos, grabación de audios y más.

¡Desde la implementación del soporte para las compras dentro de la aplicación en la versión para Mac de Amanote, Adrien ha notado un aumento del 40% en las ventas!

Empezar​

La nueva API inAppPurchase ha llegado en la última beta de Electron:

npm i -D electron@beta

La documentación para el API se puede encontrar en GitHub y Adrien ha tenido la amabilidad de escribir un tutorial sobre cómo utilizar el API. Para iniciar con la implementación de las compras dentro de la aplicación a tu proyecto, vea el tutorial.

Más mejoras en la API se encuentran en proceso y pronto llegarán en la próxima beta de Electron.

Windows podría ser el siguiente​

Próximamente, Adrien espera abrir un nuevo canal de ingresos para Amanote, al agregar el soporte para las compras dentro de la aplicación con la Tienda de Microsoft en Electron. ¡Continúe en sintonía para actualizaciones sobre eso!

A vulnerability has been discovered which allows Node.js integration to be re-enabled in some Electron applications that disable it. La vulnerabilidad ha sido asignada al identificador CVE CVE-2018-1000136.

Affected Applications​

An application is affected if all of the following are true:

1. Runs on Electron 1.7, 1.8, or a 2.0.0-beta
2. Allows execution of arbitrary remote code
3. Disables Node.js integration
4. Does not explicitly declare webviewTag: false in its webPreferences
5. Does not enable the nativeWindowOption option
6. Does not intercept new-window events and manually override event.newGuest without using the supplied options tag

Although this appears to be a minority of Electron applicatons, we encourage all applications to be upgraded as a precaution.

Mitigación​

This vulnerability is fixed in today's 1.7.13, 1.8.4, and 2.0.0-beta.5 releases.

Developers who are unable to upgrade their application's Electron version can mitigate the vulnerability with the following code:

app.on('web-contents-created', (event, win) => {
  win.on(
    'new-window',
    (event, newURL, frameName, disposition, options, additionalFeatures) => {
      if (!options.webPreferences) options.webPreferences = {};
      options.webPreferences.nodeIntegration = false;
      options.webPreferences.nodeIntegrationInWorker = false;
      options.webPreferences.webviewTag = false;
      delete options.webPreferences.preload;
    },
  );
});

// and *IF* you don't use WebViews at all,
// you might also want
app.on('web-contents-created', (event, win) => {
  win.on('will-attach-webview', (event, webPreferences, params) => {
    event.preventDefault();
  });
});

Más información​

This vulnerability was found and reported responsibly to the Electron project by Brendan Scarvell of Trustwave SpiderLabs.

Para aprender más sobre las buenas prácticas para mantener tus aplicaciones Electron seguras, ve nuestro tutorial de seguridad.

To report a vulnerability in Electron, please email security@electronjs.org.

Please join our email list to receive updates about releases and security updates.

Last week the electronjs.org site had a few minutes of downtime. If you were affected by these brief outages, we're sorry for the inconvenience. After a bit of investigation today, we've diagnosed the root cause and have deployed a fix.

To prevent this kind of downtime in the future, we've enabled Heroku threshold alerts on our app. Any time our web server accumulates failed requests or slow responses beyond a certain threshold, our team will be notified so we can address the problem quickly.

Offline Docs in Every Language​

The next time you're developing an Electron app on a plane or in a subterranean coffee shop, you might want to have a copy of the docs for offline reference. Fortunately, Electron's docs are available as Markdown files in over 20 languages.

git clone https://github.com/electron/electron-i18n
ls electron-i18n/content

Offline Docs with a GUI​

devdocs.io/electron is a handy website that stores docs for offline use, not just for Electron but many other projects like JavaScript, TypeScript, Node.js, React, Angular, and many others. And of course there's an Electron app for that, too. Check out devdocs-app on the Electron site.

If you like to install apps without using your mouse or trackpad, give Electron Forge's install command a try:

npx electron-forge install egoist/devdocs-app

A remote code execution vulnerability has been discovered affecting Electron apps that use custom protocol handlers. This vulnerability has been assigned the CVE identifier CVE-2018-1000006.

Plataformas afectadas​

Electron apps designed to run on Windows that register themselves as the default handler for a protocol, like myapp://, are vulnerable.

Such apps can be affected regardless of how the protocol is registered, e.g. using native code, the Windows registry, or Electron's app.setAsDefaultProtocolClient API.

macOS and Linux are not vulnerable to this issue.

Mitigación​

We've published new versions of Electron which include fixes for this vulnerability: 1.8.2-beta.5, 1.7.12, and 1.6.17. We urge all Electron developers to update their apps to the latest stable version immediately.

Si por alguna razón no puede actualizar su versión de Electron puedes añadir -- como último argumento al llamar a aplicación. etAsDefaultProtocolClient, que evita que Chromium analice más opciones. The double dash -- signifies the end of command options, after which only positional parameters are accepted.

app.setAsDefaultProtocolClient(protocol, process.execPath, [
  '--your-switches-here',
  '--',
]);

Vea la app.setAsDefaultProtocolent API para más detalles.

Para obtener más información sobre las mejores prácticas para mantener sus aplicaciones Electron seguras, vea nuestro tutorial de seguridad.

If you wish to report a vulnerability in Electron, email security@electronjs.org.

Una nueva versión mayor de Electron está en desarrollo, y con ella algunos cambios en nuestra estrategia de versiones. As of version 2.0.0, Electron will strictly adhere to Semantic Versioning.

This change means you'll see the major version bump more often, and it will usually be a major update to Chromium. Patch releases will also be more stable, as they will now only contain bug fixes with no new features.

Incrementos de versiones major

• Actualización de versiones de Chromium
• Actualizaciones en la version major de Node.js
• Cambios incompatibles con la API de Electron

Incrementos de version minor

• Actualizaciones en la version minor de Node.js
• Cambios compatibles de la API de Electron

Incrementos en la versión patch

• Actualizaciones en la version patch de Node.js
• parches de chromium relacionados con soluciones de problemas
• Solución a fallos de Electron

Because Electron's semver ranges will now be more meaningful, we recommend installing Electron using npm's default --save-dev flag, which will prefix your version with ^, keeping you safely up to date with minor and patch updates:

npm install --save-dev electron

For developers interested only in bug fixes, you should use the tilde semver prefix e.g. ~2.0.0, which which will never introduce new features, only fixes to improve stability.

For more details, see electronjs.org/docs/tutorial/electron-versioning.