Closed DevinBayly closed 5 years ago
for intermediate development I'll be working on my own system with non secure websockets. In case this sounds like a terrible idea, see the discussion on the popular extension GhostText which this project is in part based on.
Issue brings up the article on interprocess passwords and security here. I think this issue will only be closed in my mind if Iodide applies for a certificate from Certificate Authority, but it still seems like a bad call to include something like that in the repository, so it likely won't be version controlled here.
Following the conversation in the other thread some more, it seems like using secrets is a way to get around the issue here of interprocess data interception.
Risk being that not only are text areas in iodide potentially up for grabs, there's a chance that browser control could execute a command through the editor as these are more powerful these days and don't simply text edit.
also trying out using a https://letsencrypt.org/ certificate.
doesn't seem like a good option for something like a web extension.
Ok, just chatted with a guy who explained that localhost localhost socket communication doesn't have much possibility for security vulnerability. Closing for now.
In order for the neovim plugin to actually connect to the browser socket with wss: these files must be created and placed in the /tmp directory of the computer running the external editor. It isn't clear to me whether these are files each user should create or have included in the repo.