[f2n]

It'll be interesting to see how this works, given that the Signal Desktop client's main page (background.html) includes a CSP that restricts it from running inline or external scripts. It can only run JS that's already in the Signal Desktop package (in theory).

The fact that this isn't being described as an issue with CSPs or electron makes me wonder how it could possibly work.

[aortega]

You are correct, there's also a flaw on CSP not limiting all the ways you can download a resource. And at this time, it's still not fixed. We'll publish an advisory soon.

[jsnar]

Electron is unsafe because it's based on outdated versions of Chromium: https://github.com/signalapp/Signal-Desktop/issues/1635

[f2n]

You've linked that thread a couple of times here, never really elaborating on the nature of your concerns, nor do you elaborate on the specific nature of your concerns in the ticket. Have you considered elaborating on the nature of your concerns? Is there a specific vulnerability in chromium you feel could be exploited here?

[aegarbutt]

In Electron, all file:/// URIs share an origin. Using `script-src: 'self'` isn't much of a boundary.

[f2n]

So let's say I'm able to run HTML in Signal Desktop. How do I include an arbitrary script without getting the user to download the script first?

[aegarbutt]

If I remember correctly, on Windows you can reference file://<IP-Address>/path/to/file

Thanks SMB / UNC Paths.

[aegarbutt]

For reference: https://github.com/electron/electron/issues/5151