Respect official Electron security recommendation

[Bricklou]

Hey !

I higlhy recommand you to check at the Electron Security page, especially about theses 4 following points:

• Do not enable Node.js integration for remote content
• Enable Context Isolation
• Enable process sandboxing
• Do not disable webSecurity

The security of the user should be on the top of your priority, but it seems currently a bit neglected on this part.

Thank you to take my comment in account for the good of your users. :slightly_smiling_face:

[dscalzi]

The problem with their security guidelines is that they want to leave the renderer totally inert. The developer experience is horrendous, having to create IPC bridges for even the most trivial syscall via electron or node itself.

If there are any serious concerns or attack vectors you wish to disclose feel free to private message me and I will take a look. I'm not particularly inclined to follow this guidance to the letter if there are no actual vulnerabilities.

This is not the first time I've reviewed their document, but unfortunately implementing a custom IPC protocol to wrap electron and node's APIs is kind of insane. It might be easier to design around it with a fresh codebase but it's a significant hinderance to redo an existing one.

[Bricklou]

If there are any serious concerns or attack vectors you wish to disclose feel free to private message me and I will take a look.

Sure, care to share your Discord ID ? (i suppose you have once since the project has a Discord Server)

edit: you can also ping me on the server, i joined it

[Bricklou]

Discussion finished on Discord