Limit navigation to only paths in the app(s) (e.g. via window.location = 'https://somewhere.com')
Whitelist use of Electron/remote modules that are close to the system and could be abused. Currently we only use remote.app for our upcoming settings features
Disable creation of new app windows, open these URLs inside the systems default browser instead
FYI: Tested also npm run release and the resulting app on MacOS. Still works as it should be 🎉 🎈 💯
Electron security recommendations: https://electronjs.org/docs/tutorial/security
Implemented:
window.location = 'https://somewhere.com')remote.appfor our upcoming settings featuresFYI: Tested also
npm run releaseand the resulting app on MacOS. Still works as it should be 🎉 🎈 💯