Security Audit and known issues

[cloverich]

I've left security disabled to allow for a few hacks while putting together the first phases of development. After getting the basic UX in place I should improve the security in a few ways (checklist below).

This requires at least #47 (or a custom image protocol) and setting up webpack for a preload script (did this in a prior iteration).

• [x] Upgrade latest version of Electron (if straight forward)
• [x] Migrate elevated privilege functionality to a preload script
• [x] Enable webSecurity
• [x] Review the security checklist
• [ ] Set content security policy (affects inline-styles)
• [ ] Sandbox mode?
• [ ] Refactor absolute file protocol usage to use an approved directory like app.getPath('userData') (see https://github.com/cloverich/chronicles/commit/9f48669f6d210dfe2d32c527230fcef883109e04)
• [ ] Sanitize filepaths and prevent directory traversal in fileProtocolHandler (see above)
• [x] Review whether permissions and folders can be explicitly whitelisted in MacOS, and others (see comment)

[cloverich]

On MacOS, the first time the editor tries to save to wherever the selected directory is, this prompt comes up:

It seems to happen whenever I re-install the app as well. It might make more sense to prompt on app start-up, but perhaps after #64 which may address some of it ¯_(ツ)_/¯

[cloverich]

145 is part of https://github.com/cloverich/chronicles/issues/118 and https://github.com/cloverich/chronicles/issues/122 -- it does not close this.

Side note: A content security policy is set; I had to update it to enable data urls.