A High severity vulnerability has been discovered in Chrome which affects all software based on Chromium, including Electron.

此漏洞已被分配 CVE-2019-13720。 您可以在 Chrome 博客文章 中阅读更多关于它的信息。

请注意，Chrome将这个漏洞报告为已经被利用，因此强烈建议您尽快升级 Electron

作用域​

This affects any Electron application that may run third-party or untrusted JavaScript.

Mitigation​

Affected apps should upgrade to a patched version of Electron.

We've published new versions of Electron which include fixes for this vulnerability:

• 6.1.4

Electron 7.0.1 在发布通知之前已自动包含了上游的修复。 Electron 8同样不受影响。 该漏洞在Electron 5中不存在，因此该版本也不受影响。

Further Information​

此漏洞由卡巴斯基实验室的 Anton Ivanov 和 Alexey Kulaev 发现，并报告给 Chrome 团队。 Chrome博客文章可以在这里找到 。

要了解更多关于维护您的 Electron 应用安全的最佳做法，请参阅我们的 安全教程。

If you wish to report a vulnerability in Electron, email security@electronjs.org.

Electron 7.0.0 已发布！ 它包括升级Chromium 78, V8 7.8和Node.js 12.8.1。 我们已经添加了一个窗口到Arm 64版本，更快的 IPC 方法，一个新的 本地主题 API，还有更多！

Electron 团队很高兴发布了 Electron 7.0.0.0！ 您可以通过 npm 安装electron@later 或者从我们的 发布网站 下载它。 这次发布包含升级、修复和新功能。 We can't wait to see what you build with them! Continue reading for details about this release, and please share any feedback you have!

重要变化​

• Stack Upgrades:

  Stack	Version in Electron 6	Version in Electron 7	What's New
  Chromium	76.0.3809.146	78.0.3905.1	77, 78
  V8	7.6	7.8	7.7, 7.8
  Node.js	12.4.0	12.8.1	12.5, 12.6, 12.7, 12.8, 12.8.1

• Added Windows on Arm (64 bit) release. #18591, #20112

• Added ipcRenderer.invoke() and ipcMain.handle() for asynchronous request/response-style IPC. These are strongly recommended over the remote module. See this "Electron’s ‘remote’ module considered harmful" blog post for more information. #18449

• Added nativeTheme API to read and respond to changes in the OS's theme and color scheme. #19758, #20486

• Switched to a new TypeScript Definitions generator. The resulting definitions are more precise; so if your TypeScript build fails, this is the likely cause. #18103

See the 7.0.0 release notes for a longer list of changes.

重大更改​

有关这些和未来变化的更多信息可在 计划的破坏性变化 页面找到。

• Removed deprecated APIs:
  • Callback-based versions of functions that now use Promises. #17907
  • Tray.setHighlightMode() (macOS). #18981
  • app.enableMixedSandbox() #17894
  • app.getApplicationMenu(),
  • app.setApplicationMenu(),
  • powerMonitor.querySystemIdleState(),
  • powerMonitor.querySystemIdleTime(),
  • webFrame.setIsolatedWorldContentSecurityPolicy(),
  • webFrame.setIsolatedWorldHumanReadableName(),
  • webFrame.setIsolatedWorldSecurityOrigin() #18159
• Session.clearAuthCache() no longer allows filtering the cleared cache entries. #17970
• Native interfaces on macOS (menus, dialogs, etc.) now automatically match the dark mode setting on the user's machine. #19226
• Updated the electron module to use @electron/get. The minimum supported node version is now Node 8. #18413
• The file electron.asar no longer exists. Any packaging scripts that depend on its existence should be updated. #18577

终止对 4.x.y 的支持​

Electron 4.x.y has reached end-of-support as per the project's support policy. 我们鼓励开发者将应用程序升级到更新的 Electron 版本。

应用反馈项目​

We continue to use our App Feedback Program for testing. Projects who participate in this program test Electron betas on their apps; and in return, the new bugs they find are prioritized for the stable release. If you'd like to participate or learn more, check out our blog post about the program.

接下来​

在短期内，您可以期待团队继续专注于跟上构成 Electron 的主要组件的开发，包括 Chromium、Node 和 V8。 尽管我们谨慎地避免对发布日期做出承诺，但我们的计划是大约每季度发布一次 Electron 的新主要版本以及这些组件的新版本。 暂定 8.0.0 时间表 展示了 Electron 8 开发生命周期中的关键日期。 Also, see our versioning document for more detailed information about versioning in Electron.

For information on planned breaking changes in upcoming versions of Electron, see our Planned Breaking Changes doc.

Electron 团队很高兴发布了 Electron 6.0.0.0！ 您可以通过 npm 安装electron@later 或者从我们的 发布网站 下载它。 这次发布包含升级、修复和新功能。 We can't wait to see what you build with them! Continue reading for details about this release, and please share any feedback you have!

What's New​

Today marks a first for the Electron project: this is the first time we've made a stable Electron release on the same day as the corresponding Chrome stable release! 🎉

Much of Electron's functionality is provided by the core components of Chromium, Node.js, and V8. Electron keeps up-to-date with these projects to provide our users with new JavaScript features, performance improvements, and security fixes. Each of these packages has a major version bump in Electron 6:

• Chromium 76.0.3809.88
  • New in 74
  • New in 75
  • New in 76
• Node.js 12.4.0
  • Node 12.4.0 博文
• V8 7.6.303.22
  • V8 7.6 博文

This release also includes improvements to Electron's APIs. The release notes have a more complete list, but here are the highlights:

Promisification​

Electron 6.0 continues the modernization initiative started in 5.0 to improve Promise support.

These functions now return Promises and still support older callback-based invocation:

• contentTracing.getCategories() #16583
• contentTracing.getCategories() #16583
• contentTracking.getTraceBufferUs() #16600
• contents.executeJavaScript() #17312
• cookies.flushStore() #16464
• cookies.get() #16464
• cookies.remove() #16464
• cookies.set() #16464
• dialog.showCertificateTrustDialog() #17181
• inAppPurchase.getProducts() #17355
• inAppPurchase.purchaseProduct()#17355
• netLog.stopLogging() #16862
• session.clearAuthCache() #17259
• session.clearCache() #17185
• session.clearHostResolverCache() #17229
• session.clearStorageData() #17249
• session.getBlobData() #17303
• session.getCacheSize() #17185
• session.resolveProxy() #17222
• session.setProxy() #17222
• webContents.hasServiceWorker() #16535
• webContents.printToPDF() #16795
• webContents.savePage() #16742
• webFrame.executeJavaScript() #17312
• webFrame.executeJavaScriptInIsolatedWorld() #17312
• webviewTag.executeJavaScript() #17312

这些功能现在有两种形式，即同步和基于Promise的异步：

• dialog.showMessageBox()/dialog.showMessageBoxSync() #17298
• dialog.showOpenDialog()/dialog.showOpenDialogSync() #16973
• dialog.showSaveDialog()/dialog.showSaveDialogSync() #17054

These functions now return Promises:

• app.dock.show() #16904

Electron Helper (Renderer).app, Electron Helper (GPU).app and Electron Helper (Plugin).app​

In order to enable the hardened runtime, which restricts things like writable-executable memory and loading code signed by a different Team ID, special code signing entitlements needed to be granted to the Helper.

To keep these entitlements scoped to the process types that require them, Chromium added three new variants of the Helper app: one for renderers (Electron Helper (Renderer).app), one for the GPU process (Electron Helper (GPU).app) and one for plugins (Electron Helper (Plugin).app).

Folks using electron-osx-sign to codesign their Electron app shouldn't have to make any changes to their build logic. If you're codesigning your app with custom scripts, you should ensure that the three new Helper applications are correctly codesigned.

In order to package your application correctly with these new helpers you need to be using electron-packager@14.0.4 or higher. If you are using electron-builder you should follow this issue to track support for these new helpers.

重大更改​

• This release begins laying the groundwork for a future requirement that native Node modules loaded in the renderer process be either N-API or Context Aware. The reasons for this change are faster performance, stronger security, and reduced maintenance workload. Read the full details including the proposed timeline in this issue. This change is expected to be completed in Electron v11.

• net.IncomingMessage headers have changed slightly to more closely match Node.js behavior, particularly with the value of set-cookie and how duplicate headers are handled. #17517.

• shell.showItemInFolder() now returns void and is an asynchronous call. #17121

• Apps must now explicitly set a log path by calling the new function app.setAppLogPath() before using app.getPath('log'). #17841

终止对 3.x.y 的支持​

Per our support policy, 3.x.y has reached end of life. 我们鼓励开发者将应用程序升级到更新的 Electron 版本。

应用反馈项目​

We continue to use our App Feedback Program for testing. Projects who participate in this program test Electron betas on their apps; and in return, the new bugs they find are prioritized for the stable release. If you'd like to participate or learn more, check out our blog post about the program.

接下来​

在短期内，您可以期待团队继续专注于跟上构成 Electron 的主要组件的开发，包括 Chromium、Node 和 V8。 尽管我们谨慎地避免对发布日期做出承诺，但我们的计划是大约每季度发布一次 Electron 的新主要版本以及这些组件的新版本。 暂定 7.0.0 时间表 展示了 Electron 7 开发生命周期中的关键日期。 Also, see our versioning document for more detailed information about versioning in Electron.

For information on planned breaking changes in upcoming versions of Electron, see our Planned Breaking Changes doc.

🎉 Electron 每12周将会新发布一个稳定版本！ 🎉

⚡️ 哇，那也太快了！ 但为什么呢？​

简而言之，Chromium 不会停止发布新版本，所以 Electron 的研发也不会减速。

Chromium 的发布遵循每六周更新一次的规划。 为了在Electron中提供最新版本的Chromium，我们的发布计划需要跟踪他们的版本。 有关Chromium发布周期的更多信息可以在这里找到 。

🚀 为什么是每12周一次？​

每6周，新的 Chromium 版本就会发布新功能，错误 / 安全修复和 V8 的改进。 Electron 用户一直迫切明确地表示希望这些更改能及时进行，因此我们调整了稳定发布日期，以匹配其他所有Chromium 稳定版本。 首先，Electron v6.0.0 将包括 M76，并计划于2019年7月30日发布稳定版，与Chromium M76同一天发布。

🚧这对我和我的 Electron 应用意味着什么？​

您将能比以前更快地访问新的 Chromium 和 V8 功能和补丁。 重要的是，_当这些新变化到来时_您也能知道，因此您将能够使用比以前更好的信息进行规划。

Electron 团队 将继续支持 最新的三个主要版本。 例如，当 v6.0.0 在 2019 年 7 月 30 日稳定时，我们将继续支持 v6.x、v5.x 和 v4.x，而 v3.x 将寿终正寝。

💬 应用反馈项目​

请考虑加入我们的 应用反馈计划 ，以帮助我们测试 Beta 版和应用稳定性。 Projects who participate in this program test Electron betas on their apps; and in return, the new bugs they find are prioritized for the stable release.

📝 Electron 版本简史​

在 v3.0.0 之前，有关稳定版本的发布决策没有规律进行。 我们添加了项目的内部时间表与 v3.0.0 和 v4.0.0。 今年早些时候，我们决定首次发布 Electron v5.0.0 的稳定发布日期。 总的来说，宣布我们的稳定发布日期得到了积极的回应，我们很高兴在未来的版本中继续这样做。

为了更好地简化这些与升级相关的工作，我们的更新和发布工作组将会和我们的治理组合作 他们使得我们能够更好地确定这项工作的优先级并委派这项工作，我们希望在后续的版本中这些改变都会变得更加明显。

以下是我们和 Chromium 相比的更新计划表：

📨 如果您有任何疑问，请发送电子邮件至 info@electronjs.org。

Electron 团队很高兴发布了 Electron 5.0.0.0！ You can install it with npm via npm install electron@latest or download the tarballs from our releases page. 这次发布包含升级、修复和新功能。 We can't wait to see what you build with them! Continue reading for details about this release, and please share any feedback you have!

What's New?​

Much of Electron's functionality is provided by the core components of Chromium, Node.js, and V8. Electron keeps up-to-date with these projects to provide our users with new JavaScript features, performance improvements, and security fixes. Each of these packages has a major version bump in Electron 5:

• Chromium 73.0.3683.119
  • New in 70
  • New in 71
  • New in 72
  • New in 73
• Node.js 12.0.0
  • Node 12 Blog Post
• V8 7.3.492.27.
  • New JS Features

Electron 5 also includes improvements to Electron-specific APIs. A summary of the major changes is below; for the full list of changes, check out the Electron v5.0.0 release notes.

Promisification​

Electron 5 continues Promisification initiative initiative to convert Electron's callback-based API to use Promises. These APIs were converted for Electron 5:

• app.getFileIcon
• contentTracing.getCategories
• contentTracing.startRecording
• contentTracing.stopRecording
• debugger.sendCommand
• Cookies API
• shell.openExternal
• webContents.loadFile
• webContents.loadURL
• webContents.zoomLevel
• webContents.zoomFactor
• win.capturePage

System colors access for macOS​

These functions were changed or added to systemPreferences to access macOS systems' colors:

• systemPreferences.getAccentColor
• systemPreferences.getColor
• systemPreferences.getSystemColor

Process memory information​

The function process.getProcessMemoryInfo has been added to get memory usage statistics about the current process.

Additional filtering for remote APIs​

To improve security in the remote API, new remote events have been added so that remote.getBuiltin, remote.getCurrentWindow, remote.getCurrentWebContents and <webview>.getWebContents can be filtered.

Multiple BrowserViews on BrowserWindow​

BrowserWindow now supports managing multiple BrowserViews within the same BrowserWindow.

重大更改​

Defaults for packaged apps​

Packaged apps will now behave the same as the default app: a default application menu will be created unless the app has one and the window-all-closed event will be automatically handled unless the app handles the event.

Mixed sandbox​

Mixed sandbox mode is now enabled by default. Renderers launched with sandbox: true will now be actually sandboxed, where previously they would only be sandboxed if mixed-sandbox mode was also enabled.

Security improvements​

The default values of nodeIntegration and webviewTag are now false to improve security.

Spellchecker now asynchronous​

The SpellCheck API has been changed to provide asynchronous results.

Deprecations​

The following APIs are newly deprecated in Electron 5.0.0 and planned for removal in 6.0.0:

Mksnapshot binaries for arm and arm64​

mksnapshot 用于武器和arm64 的本机二进制二进制已废弃，将在6秒后移除。 .0 可以使用 x64 二进制程序为手臂和arm64 创建快照。

ServiceWorker APIs on WebContents​

Deprecated ServiceWorker APIs on WebContents in preparation for their removal.

• webContents.hasServiceWorker
• webContents.unregisterServiceWorker

Automatic modules with sandboxed webContents​

In order to improve security, the following modules are being deprecated for use directly via require and will instead need to be included via remote.require in a sandboxed webcontents:

• electron.screen
• child_process
• fs
• os
• 路径

webFrame Isolated World APIs​

webFrame.setIsolatedWorldContentSecurityPolicy,webFrame.setIsolatedWorldHumanReadableName, webFrame.setIsolatedWorldSecurityOrigin have been deprecated in favor of webFrame.setIsolatedWorldInfo.

Mixed sandbox​

enableMixedSandbox and the --enable-mixed-sandbox command-line switch still exist for compatibility, but are deprecated and have no effect.

End of support for 2.0.x​

Per our supported versions policy, 2.0.x has reached end of life.

应用反馈项目​

We continue to use our App Feedback Program for testing. Projects who participate in this program test Electron betas on their apps; and in return, the new bugs they find are prioritized for the stable release. If you'd like to participate or learn more, check out our blog post about the program.

接下来​

在短期内，您可以期待团队继续专注于跟上构成 Electron 的主要组件的开发，包括 Chromium、Node 和 V8。 尽管我们谨慎地避免对发布日期做出承诺，但我们的计划是大约每季度发布一次 Electron 的新主要版本以及这些组件的新版本。 暂定 6.0.0 时间表 展示了 Electron 6 开发生命周期中的关键日期。 Also, see our versioning document for more detailed information about versioning in Electron.

For information on planned breaking changes in upcoming versions of Electron, see our Planned Breaking Changes doc.

As Electron grows in popularity for desktop applications, the team working on it has also grown: we have more fulltime maintainers who work for different companies, live in different timezones, and have different interests. We're introducing a governance structure so we can keep growing smoothly.

Why are things changing?​

People in the Electron project coordinate in timezones around the world with volunteers, with full-time maintainers, and with several companies who all rely on Electron. Until now, we've been successful with informal coordination; but as the team has grown, we've found that the approach doesn't scale. We also want to make it easier for new contributors to find a place to call home in the project.

工作组​

Electron governance includes working groups that are responsible for different parts of the project. We're starting out with seven groups:

• Community & Safety: Handles Code of Conduct issues.
• Docs & Tooling: Oversees externally-focused tooling (e.g. Fiddle, Forge) and the Electron documentation.
• Outreach: Helps grow the Electron community.
• Releases: Ensures releases are stable and on schedule.
• Security: Performs security testing and responds to security issues.
• Upgrades: Integrates upstream upgrades, such as new versions of V8, Chromium, and Node.
• Website: Maintains and improves the Electron website.

These groups will coordinate with each other, but each has their own meeting schedules and agendas to be productive on their own. More details on these groups are available at the governance repository.

Does this change the Electron project's direction?​

This shouldn't have any direct effect on Electron's direction. If our strategy is successful, working groups will make it easier for new contributors to find topics that interest them, and make maintainers' lives simpler by moving discussion unrelated to their day-to-day work to other groups. If that happens, it may indirectly affect things by having more unblocked people working together.

Where can I learn more?​

• The governance repo and charter have information about the new governance structure.
• Each working group has its own page: Community, Docs & Tools, Outreach, Releases, Security, Upgrades, and Website.
• You can contact the maintainers by opening an issue or mailing us at info@electronjs.org.

C++或Objective-C写的Electron的功能如何被JavaScript访问，以便最终用户可以使用？

背景​

Electron 是一个JavaScript 平台，其主要目的是降低门口，让开发人员能够构建强大的桌面应用，而不必担心平台的具体实现情况。 然而，在其核心上，Electron本身仍然需要特定平台的功能以特定的系统语言写入。

In reality, Electron handles the native code for you so that you can focus on a single JavaScript API.

How does that work, though? C++或Objective-C写的Electron的功能如何被JavaScript访问，以便最终用户可以使用？

To trace this pathway, let's start with the app module.

By opening the app.ts file inside our lib/ directory, you'll find the following line of code towards the top:

const binding = process.electronBinding('app');

This line points directly to Electron's mechanism for binding its C++/Objective-C modules to JavaScript for use by developers. This function is created by the header and implementation file for the ElectronBindings class.

process.electronBinding​

These files add the process.electronBinding function, which behaves like Node.js’ process.binding. process.binding is a lower-level implementation of Node.js' require() method, except it allows users to require native code instead of other code written in JS. This custom process.electronBinding function confers the ability to load native code from Electron.

When a top-level JavaScript module (like app) requires this native code, how is the state of that native code determined and set? Where are the methods exposed up to JavaScript? What about the properties?

native_mate​

目前，这个可以在native_mate找到答案解决方案，Chromium的一个 gin 分支库，它使得在C++和JavaScript的类型交互更加容易

Inside native_mate/native_mate there's a header and implementation file for object_template_builder. This is what allow us to form modules in native code whose shape conforms to what JavaScript developers would expect.

mate::ObjectTemplateBuilder​

If we look at every Electron module as an object, it becomes easier to see why we would want to use object_template_builder to construct them. This class is built on top of a class exposed by V8, which is Google’s open source high-performance JavaScript and WebAssembly engine, written in C++. V8 implements the JavaScript (ECMAScript) specification, so its native functionality implementations can be directly correlated to implementations in JavaScript. For example, v8::ObjectTemplate gives us JavaScript objects without a dedicated constructor function and prototype. It uses Object[.prototype], and in JavaScript would be equivalent to Object.create().

To see this in action, look to the implementation file for the app module, atom_api_app.cc. At the bottom is the following:

mate::ObjectTemplateBuilder(isolate, prototype->PrototypeTemplate())
    .SetMethod("getGPUInfo", &App::GetGPUInfo)

In the above line, .SetMethod is called on mate::ObjectTemplateBuilder. .SetMethod can be called on any instance of the ObjectTemplateBuilder class to set methods on the Object prototype in JavaScript, with the following syntax:

.SetMethod("method_name", &function_to_bind)

This is the JavaScript equivalent of:

function App{}
App.prototype.getGPUInfo = function () {
  // implementation here
}

This class also contains functions to set properties on a module:

.SetProperty("property_name", &getter_function_to_bind)

或

.SetProperty("property_name", &getter_function_to_bind, &setter_function_to_bind)

These would in turn be the JavaScript implementations of Object.defineProperty:

function App {}
Object.defineProperty(App.prototype, 'myProperty', {
  get() {
    return _myProperty
  }
})

和

function App {}
Object.defineProperty(App.prototype, 'myProperty', {
  get() {
    return _myProperty
  }
  set(newPropertyValue) {
    _myProperty = newPropertyValue
  }
})

It’s possible to create JavaScript objects formed with prototypes and properties as developers expect them, and more clearly reason about functions and properties implemented at this lower system level!

The decision around where to implement any given module method is itself a complex and oft-nondeterministic one, which we'll cover in a future post.

A High severity vulnerability has been discovered in Chrome which affects all software based on Chromium, including Electron.

此漏洞已被分配 CVE-2019-5786。 You can read more about it in the Chrome Blog Post.

Please note that Chrome has reports of this vulnerability being used in the wild so it is strongly recommended you upgrade Electron ASAP.

作用域​

This affects any Electron application that may run third-party or untrusted JavaScript.

Mitigation​

Affected apps should upgrade to a patched version of Electron.

We've published new versions of Electron which include fixes for this vulnerability:

• 4.0.8
• 3.1.6
• 3.0.16
• 2.0.18

The latest beta of Electron 5 was tracking Chromium 73 and therefore is already patched:

• 5.0.0-beta.5

Further Information​

This vulnerability was discovered by Clement Lecigne of Google's Threat Analysis Group and reported to the Chrome team. The Chrome blog post can be found here.

要了解更多关于维护您的 Electron 应用安全的最佳做法，请参阅我们的 安全教程。

If you wish to report a vulnerability in Electron, email security@electronjs.org.

Electron 团队将停止支持 32 位 Linux (ia32 / i386)，从Electron v4.0 开始。 支持基于32位的 Linux 安装的 Electron 最后版本是 Electron v3.1，它将获得支持版本直到Electron v6 被解除。 Support for 64-bit based Linux and armv7l will continue unchanged.

What exactly is Electron no longer supporting?​

You may have seen the description "64-bit" and "32-bit" as stickers on your computer or as options for downloading software. The term is used to describe a specific computer architecture. Most computers made in the 1990s and early 2000s were made with CPUs that were based on the 32-bit architecture, while most computers made later were based on the newer and more powerful 64-bit architecture. The Nintendo 64 (get it?) and the PlayStation 2 were the first widely available consumer devices with the new architecture, computers sold after 2010 contained almost exclusively 64-bit processors. As a result, support has been shrinking: Google stopped releasing Chrome for 32-bit Linux in March 2016, Canonical stopped providing 32-bit desktop images in 2017 and dropped support for 32-bit altogether with Ubuntu 18.10. Arch Linux, elementary OS, and other prominent Linux distributions have already dropped support for the aging processor architecture.

Until now, Electron has provided and supported builds that run on the older 32-bit architecture. From release v4.0 onwards, the Electron team will no longer be able to provide binaries or support for 32-bit Linux.

Electron has always been a vibrant open source project and we continue to support and encourage developers interested in building Electron for exotic architectures.

What does that mean for developers?​

If you are not currently providing 32-bit distributions of your app for Linux, no action is required.

Projects which ship 32-bit Linux Electron applications will need to decide how to proceed. 32-bit Linux will be supported on Electron 3 until the release of Electron 6, which gives some time to make decisions and plans.

What does that mean for users?​

If you are a Linux user and not sure whether or not you're running a 64-bit based system, you are likely running on a 64-bit based architecture. To make sure, you can run the lscpu or uname -m commands in your terminal. Either one will print your current architecture.

If you are using Linux on a 32-bit processor, you have likely already encountered difficulties finding recently released software for your operating system. The Electron team joins other prominent members in the Linux community by recommending that you upgrade to a 64-bit based architecture.

已发现一个代码漏洞，允许在子窗口中重新启用 Node。

打开一个带有 sandbox: true 或者 nativeWindowOpen: true 和 nodeIntegration: false 这些属性的 BrowserView ，将生成一个 webContents ，里面的window.open 方法可以被调用，同时新打开的子窗口将启用 nodeIntegration。 此漏洞会影响所有受支持的 Electron 版本。

Mitigation​

We've published new versions of Electron which include fixes for this vulnerability: 2.0.17, 3.0.15, 3.1.3, 4.0.4, and 5.0.0-beta.2. 我们鼓励所有 Electron 开发者立即更新他们的应用程序到最新稳定版本。

如果由于某些原因，无法升级 Electron 版本，你可以通过禁用所有子网页内容来缓解这个问题：

view.webContents.on('-add-new-contents', (e) => e.preventDefault());

Further Information​

此漏洞是由 PalmerAL发现并负责任地报告给Electron项目的。

要了解更多关于维护您的 Electron 应用安全的最佳做法，请参阅我们的 安全教程。

If you wish to report a vulnerability in Electron, email security@electronjs.org.