6 electron Security

6 electron Security

  • disable node.js access

permission handling

geo, camera …

browser normally ask the user but electron does not.

the webview tag

  • has isw own process and memory allocation
  • alwys validate dynamically created webviews
  • configurable like the browser window

others

  • using context isolation for js Global objects
  • allow popups on a webview
  • mixed content (insecure contetn loaded on a securely loaded page)
  • setup a content security policy

ref

  • demo github.com/nawazg/owasp_nzday_2019_talk
  • slack.engineering
  • electron doc security
  • provoke solutions are hiring