6 electron Security

Auckland, Conference, OWASP

6 electron Security

disable node.js access

permission handling

geo, camera …

browser normally ask the user but electron does not.

the webview tag

has isw own process and memory allocation
alwys validate dynamically created webviews
configurable like the browser window

others

using context isolation for js Global objects
allow popups on a webview
mixed content (insecure contetn loaded on a securely loaded page)
setup a content security policy

ref

demo github.com/nawazg/owasp_nzday_2019_talk
slack.engineering
electron doc security
provoke solutions are hiring