Security in NW.js
Node and Normal Frames
There are two kinds of frames in NW.js: node frame and normal frame.
Node frames have following extra capabilities than normal frames:
- Access Node.js / NW.js APIs
- Access extended DOM features, such as save as dialog, nwUserAgent attribute etc.
- Bypass all security restrictions, such as sandboxing, same origin policy etc. For example, you can make cross origin XHR to any remote sites, or access to
<iframe>
element whosesrc
points to remote sites in node frames.
In NW.js, frames matching ALL of the following criterias will be a node frame:
nodejs
set totrue
in manifest file- URL of windows and frames matching
node-remote
patterns in manifest file orchrome-extension://
protocol. - Frames or parent frames NOT having
nwdisable
attribute. - Frames or parent frames NOT in
<webview>
tag