A remote code execution vulnerability has been discovered affecting apps with the ability to open nested child windows on Electron versions (3.0.0-beta.6, 2.0.7, 1.8.7, and 1.7.15). 这个脆弱性已经被分配到CVE标识符 CVE-2018-15685。

Affected Platforms​

You are impacted if:

1. You embed any remote user content, even in a sandbox
2. You accept user input with any XSS vulnerabilities

详细信息

You are impacted if any user code runs inside an iframe / can create an iframe. Given the possibility of an XSS vulnerability it can be assumed that most apps are vulnerable to this case.

You are also impacted if you open any of your windows with the nativeWindowOpen: true or sandbox: true option. Although this vulnerability also requires an XSS vulnerability to exist in your app, you should still apply one of the mitigations below if you use either of these options.

Mitigation​

We've published new versions of Electron which include fixes for this vulnerability: 3.0.0-beta.7, 2.0.8, 1.8.8, and 1.7.16. We urge all Electron developers to update their apps to the latest stable version immediately.

If for some reason you are unable to upgrade your Electron version, you can protect your app by blanket-calling event.preventDefault() on the new-window event for all webContents'. If you don't use window.open or any child windows at all then this is also a valid mitigation for your app.

mainWindow.webContents.on('new-window', (e) => e.preventDefault());

If you rely on the ability of your child windows to make grandchild windows, then a third mitigation strategy is to use the following code on your top level window:

const enforceInheritance = (topWebContents) => {
  const handle = (webContents) => {
    webContents.on(
      'new-window',
      (event, url, frameName, disposition, options) => {
        if (!options.webPreferences) {
          options.webPreferences = {};
        }
        Object.assign(
          options.webPreferences,
          topWebContents.getLastWebPreferences(),
        );
        if (options.webContents) {
          handle(options.webContents);
        }
      },
    );
  };
  handle(topWebContents);
};

enforceInheritance(mainWindow.webContents);

This code will manually enforce that the top level windows webPreferences is manually applied to all child windows infinitely deep.

Further Information​

This vulnerability was found and reported responsibly to the Electron project by Matt Austin of Contrast Security.

要了解更多关于维护您的 Electron 应用安全的最佳做法，请参阅我们的 安全教程。

If you wish to report a vulnerability in Electron, email security@electronjs.org.

Electron 网站有一个搜索引擎，可以提供 API 文档、教程、Electron 相关的 npm 包等查询结果。

学习像 Electron 这样的新技术或框架可能有点令人生畏。 当您学习完快速开始部分后，寻找最佳实践、正确的 API 或者合适的辅助工具可能会有点困难。 我们希望 Electron 网站成为帮助您寻找开发资料的更好工具。

访问 electronjs.org 的任意页面，您便可以在页面顶端找到搜索框。

搜索引擎​

起初我们为网站添加搜索时，我们使用了自己的，基于 GraphQL 的后端。 GraphQL 很有趣，并且搜索的效率很高，但我们很快认识到构建搜索引擎只是很基础的一部分。 像多词搜索和错别字检测等特性需要大量工作才能完成。 与其重复造轮子，我们决定使用现有的方案：Algolia。

Algolia 是一个托管的搜索服务，已经很快成为不少热门开源项目（如 React，Vue，Bootstrap，Yarn 等等）的选择。

以下特性让 Algolia 很适合 Electron 官网的搜索任务：

• InstantSearch.js 在您输入时提供实时搜索结果，延迟通常在 1 ms 之内。
• 输入容忍度 让您在输入 [widnow] 等错别字时也能获得结果。
• 高级查询语法 允许您使用 "exact quoted matches" 和 -exclusion 等语句。
• API 客户端 是开源的，并有大量文档。
• 分析 帮助我们了解人们经常搜索的内容，以及哪些缺失的内容需要补充。 这将为我们提供有关如何改进 Electron 文档的宝贵见解。
• Algolia 对开源项目 免费。

API 文档​

有时你知道_你想要完成什么_ ，但你不完全知道_如何做_。 Electron 拥有超过 750 个 API 方法、事件和属性。 没有人能够轻易地记住所有这些，但计算机在这件事上很擅长。 通过 Electron 的 JSON API 文档，我们将所有这些数据编入了 Algolia 。 现在你可以轻松地找到你想要的 API。

尝试调整窗口大小？ 搜索 [调整大小] 并直接跳转到您需要的方法。

教程​

Electron 的教程正在逐步丰富，以跟进它的 API 文档。 现在你可以更容易地找到关于某个主题的教程，以及相关的 API 文档。

寻找安全方面的最佳实践？ 搜索 [security]。

npm 包​

目前 npm 注册表中有超过 70 万个包，找到所需的包并不总是容易。 为了更容易地寻找这些依赖包，我们创建了 electron-npm-packages 这个集合，包含 3400 余个专为 Electron 编写的依赖项目。

Libraries.io 的工作者们做了 SourceRank，可以基于一系列指标（如代码、社区、文档、用法等）对开源项目进行评分。 我们创建了一个 [sourceranks] 模块，它包含了在 npm 注册表中每个模块的分数。 并且我们 使用这些分数来排序包结果。

想要 Electron 的内置 IPC 模块的替代品吗？ 搜索 is:package ipc。

Electron 应用​

使用 Algolia 索引数据很容易，所以我们添加了 GitHub 的 electron/apps 中的项目。

尝试搜索 [音乐] 或 [自制程序]。

Filtering Results​

如果你以前使用过 GitHub 的代码搜索功能，你可能知道它的键 - 值过滤用法，如 extension:js 或 user:defunkt 。 我们认为这种机制很有用，因此我们添加了一个 is: 关键词到 Electron 网站的搜索引擎中，帮助你筛选结果的类型：

• is:api thumbnail
• is:tutorial security
• is:package ipc
• is:app graphql

快捷键​

人们喜欢键盘快捷键！ 新的搜索可以让你手不离键盘：

• / 聚焦到搜索输入框
• Esc 聚焦到搜索输入框并清除内容
• ↓ 移动到下一个结果
• ↑ 移动到之前的结果，或搜索内容
• Enter 打开结果

我们已经将这个模块开源了。 它被设计成与 Algolia InstantSearch 一起使用，但是也为不同的搜索实现做了兼容。

我们希望得到您的反馈​

如果你在使用新的搜索工具时遇到了任何问题，我们希望了解它们！

提交反馈的最佳方式是在 GitHub 的对应仓库中提交 issue：

• electron/electronjs.org 是 Electron 的网站。 如果你不知道某个问题应该在哪提 issue，可以在这里提出。
• electron/algolia-indices 是 Electron 的可搜索的数据被编译的地方。
• electron/search-with-your-keyboard 提供了通过快捷键导航搜索的功能。
• algolia/instantsearch.js 是一个浏览器端的插件，提供在输入时实时获取结果的功能。
• algolia/algoliasearch-client-javascript 是用于将数据提交到 Algolia 服务器的 Node.js 客户端。

谢谢！​

特别感谢 Emily Jordan 和 Vanessa Yuen 编写了这些搜索工具，感谢 Libraries.io 提供 SourceRank 评分，以及感谢 Algolia 团队。 🍹

Ever since the launch of the new internationalized Electron website, we have been working hard to make the Electron development experience even more accessible to developers outside of the English speaking world.

So here we are with some exciting i18n updates!

🌐 Language Toggle​

Did you know that many people who read translated documentation often cross reference that with the original English documentation? They do this to familiarize themselves with English docs, and to avoid outdated or inaccurate translations, which is one caveat of internationalized documentations.

To make cross-referencing to English docs easier, we recently shipped a feature that allows you to seamlessly toggle a section of the Electron documentation between English and whatever language you're viewing the website in. The language toggle will show up as long as you have a non-English locale selected on the website.

⚡️ Quick Access to Translation Page​

Notice a typo or an incorrect translation while you're reading the documentation? You no longer have to log in to Crowdin, pick your locale, find the file you'd like the fix, etc etc. Instead, you can just scroll down to the bottom of the said doc, and click "Translate this doc" (or the equivalent in your language). Voila! You are brought straight to the Crowdin translation page. Now apply your translation magic!

📈 Some Statistics​

Ever since we have publicized the Electron documentation i18n effort, we have seen huge growth in translation contributions from Electron community members from all around the world. To date, we have 1,719,029 strings translated, from 1,066 community translators, and in 25 languages.

Here is a fun graph showing the approximate amount of time needed to translate the project into each language if the existing tempo (based on the project activity during the last 14 days at the time of writing) is preserved.

📃 Translator Survey​

We would like to give a huge ❤️ thank you ❤️ to everyone who has contributed their time to help improving Electron! In order to properly acknowledge the hard work of our translator community, we have created a survey to collect some information (namely the mapping between their Crowdin and Github usernames) about our translators.

If you are one of our incredible translators, please take a few minutes to fill this out: https://goo.gl/forms/b46sjdcHmlpV0GKT2.

🙌 Node's Internationalization Effort​

Because of the success of Electron's i18n initiative, Node.js decided to model their revamped i18n effort after the pattern we use as well! 🎉 The Node.js i18n initiative has now been launched and gained great momentum, but you can stil read about the early proposal and reasoning behind it here.

🔦 Contributing Guide​

If you're interested in joining our effort to make Electron more international friendly, we have a handy-dandy contributing guide to help you get started. Happy internationalizing! 📚

经过四个多月的开发，八个测试版发布，和世界范围内的测试来自许多应用的分级发布，Electron 2.0.0 现在可从 electronjs.org 下载。

发布流程​

從 2.0.0 開始，Electron 會按照語意版本控制來發布. This means the major version will bump more often and will usually be a major update to Chromium. Patch releases should be more stable because they will contain only high-priority bug fixes.

Electron 2.0.0 also represents an improvement to how Electron is stabilized before a major release. Several large scale Electron apps have included 2.0.0 betas in staged rollouts, providing the best feedback loop Electron's ever had for a beta series.

Changes / New Features​

• Major bumps to several important parts of Electron's toolchain, including Chrome 61, Node 8.9.3, V8 6.1.534.41, GTK+ 3 on Linux, updated spellchecker, and Squirrel.
• In-app purchases are now supported on MacOS. #11292
• New API for loading files. #11565
• New API to enable/disable a window. #11832
• New API app.setLocale(). #11469
• New support for logging IPC messages. #11880
• New menu events. #11754
• Add a shutdown event to powerMonitor. #11417
• Add affinity option for gathering several BrowserWindows into a single process. #11501
• Add the ability for saveDialog to list available extensions. #11873
• Support for additional notification actions #11647
• The ability to set macOS notification close button title. #11654
• Add conditional for menu.popup(window, callback)
• Memory improvements in touchbar items. #12527
• Improved security recommendation checklist.
• Add App-Scoped Security scoped bookmarks. #11711
• Add ability to set arbitrary arguments in a renderer process. #11850
• Add accessory view for format picker. #11873
• Fixed network delegate race condition. #12053
• Drop support for the mips64el arch on Linux. Electron requires the C++14 toolchain, which was not available for that arch at the time of the release. We hope to re-add support in the future.

Breaking API changes​

• Removed deprecated APIs, including:
  • Changed menu.popup signature. #11968
  • Removed deprecated crashReporter.setExtraParameter #11972
  • Removed deprecated webContents.setZoomLevelLimits and webFrame.setZoomLevelLimits. #11974
  • Removed deprecated clipboard methods. #11973
  • Removed support for boolean parameters for tray.setHighlightMode. #11981

Bug Fixes​

• Changed to make sure webContents.isOffscreen() is always available. #12531
• Fixed BrowserWindow.getFocusedWindow() when DevTools is undocked and focused. #12554
• Fixed preload not loading in sandboxed render if preload path contains special chars. #12643
• Correct the default of allowRunningInsecureContent as per docs. #12629
• Fixed transparency on nativeImage. #12683
• Fixed issue with Menu.buildFromTemplate. #12703
• Confirmed menu.popup options are objects. #12330
• Removed a race condition between new process creation and context release. #12361
• Update draggable regions when changing BrowserView. #12370
• Fixed menubar toggle alt key detection on focus. #12235
• Fixed incorrect warnings in webviews. #12236
• Fixed inheritance of 'show' option from parent windows. #122444
• Ensure that getLastCrashReport() is actually the last crash report. #12255
• Fixed require on network share path. #12287
• Fixed context menu click callback. #12170
• Fixed popup menu position. #12181
• Improved libuv loop cleanup. #11465
• Fixed hexColorDWORDToRGBA for transparent colors. #11557
• Fixed null pointer dereference with getWebPreferences api. #12245
• Fixed a cyclic reference in menu delegate. #11967
• Fixed protocol filtering of net.request. #11657
• WebFrame.setVisualZoomLevelLimits now sets user-agent scale constraints #12510
• Set appropriate defaults for webview options. #12292
• Improved vibrancy support. #12157 #12171 #11886
• Fixed timing issue in singleton fixture.
• Fixed broken production cache in NotifierSupportsActions()
• Made MenuItem roles camelCase-compatible. #11532
• Improved touch bar updates. #11812, #11761.
• Removed extra menu separators. #11827
• Fixed Bluetooth chooser bug. Closes #11399.
• Fixed macos Full Screen Toggle menu item label. #11633
• Improved tooltip hiding when a window is deactivated. #11644
• Migrated deprecated web-view method. #11798
• Fixed closing a window opened from a browserview. #11799
• Fixed Bluetooth chooser bug. #11492
• Updated to use task scheduler for app.getFileIcon API. #11595
• Changed to fire console-message event even when rendering offscreen. #11921
• Fixed downloading from custom protocols using WebContents.downloadURL. #11804
• Fixed transparent windows losing transparency when devtools detaches. #11956
• Fixed Electron apps canceling restart or shutdown. #11625

macOS​

• Fixed event leak on reuse of touchbar item. #12624
• Fixed tray highlight in darkmode. #12398
• Fixed blocking main process for async dialog. #12407
• Fixed setTitle tray crash. #12356
• Fixed crash when setting dock menu. #12087

Linux​

• Better Linux desktop notifications. #12229 #12216 #11965 #11980
• Better GTK+ theme support for menus. #12331
• Exit gracefully on linux. #12139
• Use the app’s name as the tray icon's default tooltip. #12393

Windows​

• Added Visual Studio 2017 support. #11656
• Fixed passing of exception to the system crash handler. #12259
• Fixed hiding tooltip from minimized window. #11644
• Fixed desktopCapturer to capture the correct screen. #11664
• Fixed disableHardwareAcceleration with transparency. #11704

接下来

Electron团队正在努力支持较新版本的Chromium, Node和 v8。 下一个版本号预计3.0.0-beta.1！

今天，我们发布了一个免费的、开源的托管更新 web服务 和配套的 npm 包，以便为开源 Electron 应用程序启用便捷的自动更新。 这使得应用程序开发人员能够花更少的时间考虑部署，而多去为用户提供高质量的体验。

让生活更轻松​

Electron有一个autoUpdater API，让应用程序能够从远程终端获取元数据以检查更新，可以在后台下载并且自动安装。

启用这些更新对许多Electron应用开发者来说是部署过程中一个繁琐的步骤，因为它需要部署一个 web 服务器并且这只是为了提供应用版本历史元数据。

今天我们公布了一个新的应用自动更新的解决方案。 如果你的Electron应用在公开的GitHub仓库中，并且你正在使用GitHub Releases发布构建版本，你可以使用这项服务向你的用户提供持续的应用更新。

使用新模块​

为了减少配置，我们创建了update-electron-app，一个npm模块，它与新的 update.electronjs.org web服务集成在一起。

安装模块

npm install update-electron-app

在您的应用程序的 main进程中的任何地方调用：

require('update-electron-app')();

搞定！ 该模块将在应用启动时检查更新，然后每10分钟检查一次。 当它发现有更新时，它将在后台自动下载，并在更新就绪时显示对话框。

迁移现有应用​

已经使用Electron的autoUpdater API的应用程序也可以使用这项服务。 为此，你可以定制update-electron-app模块，或者直接与update.electronjs.org集成。

可替代方案​

如果你使用electron-builder来打包你的应用，你可以使用它内置的更新程序。 有关详细信息，请参见electronic.build/auto-update。

如果你的应用是私人的，你可能需要部署属于你自己的更新服务器。 有很多开源工具可以做到这一点，包括Zeit的Hazel和Atlassian的Nucleus。 有关更多信息，请参阅部署一个更新服务器教程。

谢谢！​

感谢Julian Gruber帮助设计和构建这个简单且可扩展的web服务。 感谢Zeit的工作人员，他们提供了开源的Hazel服务，我们从中获得了设计灵感。 感谢Samuel Attard的代码评审。 感谢Electron社区帮助测试这项服务。

🌲 为 Electron 应用的美好未来干杯!

The new Electron 2.0 release line is packed with new features and fixes. One of the highlights from this new major version is a new inAppPurchase API for Apple's Mac App Store.

In-app purchases enable content or subscriptions to be purchased directly from within apps. This gives developers an easy way to embrace the freemium business model, wherein users pay nothing to download an app and are offered optional in-app purchases for premium features, additional content, or subscriptions.

The new API was added to Electron by community contributor Adrien Fery to enable in-app purchases in Amanote, a note-taking Electron app for lectures and conferences. Amanote is free to download and allows clear and structured notes to be added to PDFs, with features like mathematical formulae, drawings, audio recording, and more.

Since adding in-app purchase support to the Mac version of Amanote, Adrien has noted a 40% increase in sales!

入门指南​

The new inAppPurchase API has already landed in the latest Electron beta:

npm i -D electron@beta

The docs for the API can be found on GitHub, and Adrien has been kind enough to write a tutorial on how to use the API. To get started adding in-app purchases to your app, see the tutorial.

More improvements to the API are in the works, and will soon be landing in an upcoming Electron beta release.

Windows Could Be Next​

Up next, Adrien is hoping to open a new revenue channel for Amanote by adding support for Microsoft Store in-app purchases in Electron. Stay tuned for developments on that!

已发现一个漏洞，该漏洞允许在某些禁用 Node.js 集成的 Electron 应用程序中重新启用 Node.js 环境。 已为此漏洞分配了 CVE 标识符 CVE-2018-1000136。

受影响的应用程序​

如果 以下所有 都为真，则应用程序将受到影响：

1. 在 Electron 1.7, 1.8, 或 2.0.0-beta 上运行
2. 允许执行任意远程代码
3. 禁用 Node.js 集成
4. 没有在其网页首选项中明确声明 webviewTag: false
5. 不启用 nativeWindowOption 选项
6. 不要在未使用提供的选项标签的情况下拦截 new-window 事件并手动覆盖 event.newGuest

虽然这似乎是 Electron 应用程序中的少数，但我们鼓励所有应用程序升级，以此作为一种预防措施。

Mitigation​

此漏洞在当前 1.7.13, 1.8.4, 和 2.0.0-beta.5 版本中已修复.

无法升级其 Electron 版本的开发人员可以使用以下代码缓解此漏洞：

app.on('web-contents-created', (event, win) => {
  win.on(
    'new-window',
    (event, newURL, frameName, disposition, options, additionalFeatures) => {
      if (!options.webPreferences) options.webPreferences = {};
      options.webPreferences.nodeIntegration = false;
      options.webPreferences.nodeIntegrationInWorker = false;
      options.webPreferences.webviewTag = false;
      delete options.webPreferences.preload;
    },
  );
});

// and *IF* you don't use WebViews at all,
// you might also want
app.on('web-contents-created', (event, win) => {
  win.on('will-attach-webview', (event, webPreferences, params) => {
    event.preventDefault();
  });
});

Further Information​

此漏洞是由 Trustwave SpiderLabs的Brendan Scarvell 发现并负责任地报告给Electron项目的。

要了解有关确保 Electron 应用程序安全的最佳实践，请参阅我们的 安全教程。

要报告Electron中的漏洞，请发送电子邮件至 security@electronjs.org 邮箱。

请加入我们 电子邮件列表 以接收有关版本和安全更新的信息。

上周 electronjs.org 网站停止运行了几分钟。 如果您受到这些短暂中断的影响，我们很抱歉给您带来不便。 今天经过调查，我们发现了根本原因，并部署了一个修复.

To prevent this kind of downtime in the future, we've enabled Heroku threshold alerts on our app. Any time our web server accumulates failed requests or slow responses beyond a certain threshold, our team will be notified so we can address the problem quickly.

各语种离线文档​

下次当你在飞机或在郊区咖啡店开发Electron应用程序时， 您可能想要拿到一份文档以供离线查看。 Fortunately, Electron's docs are available as Markdown files in over 20 languages.

git clone https://github.com/electron/electron-i18n
ls electron-i18n/content

使用GUI查看离线文档​

devdocs.io/electron 是一个文件储存网站，可供离线使用，十分便捷。 除了Electron， JavaScript, TypeScript, Node.js, React, Angular等项目也在使用该网站。 And of course there's an Electron app for that, too. Check out devdocs-app on the Electron site.

If you like to install apps without using your mouse or trackpad, give Electron Forge's install command a try:

npx electron-forge install egoist/devdocs-app

A remote code execution vulnerability has been discovered affecting Electron apps that use custom protocol handlers. This vulnerability has been assigned the CVE identifier CVE-2018-1000006.

Affected Platforms​

Electron apps designed to run on Windows that register themselves as the default handler for a protocol, like myapp://, are vulnerable.

Such apps can be affected regardless of how the protocol is registered, e.g. using native code, the Windows registry, or Electron's app.setAsDefaultProtocolClient API.

macOS and Linux are not vulnerable to this issue.

Mitigation​

We've published new versions of Electron which include fixes for this vulnerability: 1.8.2-beta.5, 1.7.12, and 1.6.17. We urge all Electron developers to update their apps to the latest stable version immediately.

如果由于某些原因，您无法升级您的 Electron 版本， 在调用 应用时，您可以添加 -- 作为最后一个参数。 etAsdefaultProtocol客户端, 防止Chromium 解析更多选项。 The double dash -- signifies the end of command options, after which only positional parameters are accepted.

app.setAsDefaultProtocolClient(protocol, process.execPath, [
  '--your-switches-here',
  '--',
]);

更多详情请参阅 app.setAssDefaultProtocol客户端 API。

要了解更多关于维护您的 Electron 应用安全的最佳做法， 请参阅我们的 安全教程

If you wish to report a vulnerability in Electron, email security@electronjs.org.

A new major version of Electron is in the works, and with it some changes to our versioning strategy. As of version 2.0.0, Electron will strictly adhere to Semantic Versioning.

This change means you'll see the major version bump more often, and it will usually be a major update to Chromium. Patch releases will also be more stable, as they will now only contain bug fixes with no new features.

Major 版本增量

• Chromium 版本更新
• Node.js 重大版本更新
• Electron 突破性 API 变更

Minor 版本增量

• Node.js 次要版本更新
• Electron 无突破性 API 变更

Patch 版本增量

• Node.js patch 版本更新
• 修复相关的 chromium 补丁
• Electron bug 修复

Because Electron's semver ranges will now be more meaningful, we recommend installing Electron using npm's default --save-dev flag, which will prefix your version with ^, keeping you safely up to date with minor and patch updates:

npm install --save-dev electron

For developers interested only in bug fixes, you should use the tilde semver prefix e.g. ~2.0.0, which which will never introduce new features, only fixes to improve stability.

For more details, see electronjs.org/docs/tutorial/electron-versioning.