justinmchase
commented
8 years ago it uses ssl but the api endpoints have to essentially be public.
Closed aktywnitu closed 8 years ago
justinmchase
commented
8 years ago it uses ssl but the api endpoints have to essentially be public.
justinmchase
commented
8 years ago After re-reading this I'm understanding that you are actually asking about the safety of the plugin code itself...
The answer is that the code would be run with the same permissions as the app itself: so anything your app can do that plugin could would be able to do. Typically this would be user level permissions, which would let the plugin access the users files etc.
Probably the best solution to isolate plugin code like this if you are concerned about it would be to load it in a <webview> instead of your main app. Electron itself will isolate this code from your application and it will run in an untrusted process. This is assuming you are using these plugins inside an electron app!
If you are not running in electron you probably will need to use child_process and do the isolation yourself, or work on a native module. I'm not sure how safe or easy that would be though.
Hi,
I would like allow users to add guest plugins to my app. Is it secure to Javascript app core code? - it should be private.