From eb9589847676c0cb6a88f29db78f36d594526736 Mon Sep 17 00:00:00 2001
From: "electron-website-docs-updater[bot]"
 <166660481+electron-website-docs-updater[bot]@users.noreply.github.com>
Date: Thu, 5 Sep 2024 21:05:46 +0000
Subject: [PATCH] =?UTF-8?q?chore:=20update=20ref=20to=20docs=20(?=
 =?UTF-8?q?=F0=9F=A4=96)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 docs/latest/api/context-bridge.md | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)

diff --git a/docs/latest/api/context-bridge.md b/docs/latest/api/context-bridge.md
index 91d9255c7..b1b8fa03a 100644
--- a/docs/latest/api/context-bridge.md
+++ b/docs/latest/api/context-bridge.md
@@ -152,6 +152,25 @@ has been included below for completeness:
 
 If the type you care about is not in the above table, it is probably not supported.
 
+### Exposing ipcRenderer
+
+Attempting to send the entire `ipcRenderer` module as an object over the `contextBridge` will result in
+an empty object on the receiving side of the bridge. Sending over `ipcRenderer` in full can let any
+code send any message, which is a security footgun. To interact through `ipcRenderer`, provide a safe wrapper
+like below:
+
+```js
+// Preload (Isolated World)
+contextBridge.exposeInMainWorld('electron', {
+  onMyEventName: (callback) => ipcRenderer.on('MyEventName', (e, ...args) => callback(args))
+})
+```
+
+```js @ts-nocheck
+// Renderer (Main World)
+window.electron.onMyEventName(data => { /* ... */ })
+```
+
 ### Exposing Node Global Symbols
 
 The `contextBridge` can be used by the preload script to give your renderer access to Node APIs.