[tptacek]

There was about a year and a half worth of security work done on Electron (particularly targeting the Node integration and how Node APIs were exposed). I worry that not a lot of people know just how insecure Electron apps used to be, and would generally worry that new Electron frameworks not designed specifically to be secure are going to recapitulate a lot of that.

[Erlich_Bachman]

What is the attack vector that this protects against? Electron apps don't usually just run user-provided code off the internet? They just run the code provided by the app vendor?

[pvg]

XSS in the app or things it displays/depends on end up being RCE on the client.

[Gaelan]

I mean, the easy answer is make the web view send messages to Node instead of doing the node integration.