[bjoli]

Yeah. That fact seems pretty hidden in the reports. Due to proper CSP only local files will be executed.

If you are who I think you are, maybe you could speculate if there is actually any use for this other than loading local files (local file execution) and crashing signal?

[nitrogen]

If a .js file is redirected to from a web page, with a Content-Disposition header marking it as a download, and (as is common) the browser downloads automatically to ~/Downloads, doesn't that leave the .js file in a predictable place that can then be used by an attack on Electron?

[bjoli]

that could probably.be answered by jlund. Electron downloading things by default seems like a pretty bad thing to do.