We should disable Node integration in browser windows

[cwillisf]

Expected Behavior

Node integration should be disabled for all browser windows. Code which needs to use Node features can do so through a preload script. This isn't critical since Scratch Desktop generally doesn't display any remote content, but it wouldn't hurt to be extra careful.

Actual Behavior

Node integration is enabled on all browser windows.

See also

• https://www.electronjs.org/docs/tutorial/security#2-do-not-enable-nodejs-integration-for-remote-content
• https://gist.github.com/earksiinni/053470a04defc6d7dfaacd5e5a073b15

[apple502j]

@cwillisf Bumping this - and I think it's best to prioritize this more. As my exploit has shown, an XSS is enough to execute arbitrary code (currently) and Scratch app currently contains code that performs dangerous operations (e.g. manipulation of untrusted SVG.) While the issue is partially solved by adding a third party sanitizer, its bypass (such as mXSS) still allows arbitrary code execution. Disabling nodeIntegration is a simple way of reducing the risks of such potential vulnerabilities.

It's also worth mentioning that contextIsolation has to be enabled (otherwise disabling node integration is practically useless, because the sandbox is not strict enough.)

TurboWarp Desktop recently disabled node integration, could be worth checking: https://github.com/TurboWarp/desktop