|
|
|
|
|
|
by itsananderson
2350 days ago
|
|
|
It's a great idea to have a template for writing secure Electron apps, but this particular template should only be used with caution. I don't think it has been reviewed or endorsed by the Electron team as actually following those best practices, and I see a few issues just skimming from my phone: They're trying to expose IPC to the renderer in an unsafe way. See their discussion on this GH issue https://github.com/electron/electron/issues/21437 (referenced from the main readme as blocking some features they want to implement) On their "building a secure app" page they complain about Electron's quick release cadence https://github.com/reZach/secure-electron-template/blob/mast... > The trouble that I've found with electron, is that their release schedule is crazy, with only a few months before each major release. We know that electron is a young framework, but it is hard to keep up so quickly! Electron releases quickly to pull in critical upstream security fixed from chromium.
That reasoning is explained pretty thoroughly in the best practices documentation https://electronjs.org/docs/tutorial/security#17-use-a-curre... I haven't looked at their implementations of the other security best practices, so these might be the only red flags, but I'd still recommend against just blindly copying the template without understanding and verifying the best practices they're attempting to implement. |
|
|
Thank you for your feedback. This template has not yet been reviewed but I hope to get candid feedback like yours on spots that may have been missed.
I am planning to change the way the IPC renderer is exposed; Marshall from the Electron team pointed me to a better way of doing so and I hadn't had time to update the repo yet. That will be something I update soon in the code and in the docs.
The best practices I take from Electron themselves; https://electronjs.org/docs/tutorial/security. If there are other security reports please send them to me and the template can be enhanced further.