|
|
|
|
|
|
by greggman3
2115 days ago
|
|
|
Part of this is Electron's environment and arguably fault. Electron used to default to insecure. You were basically running a web browser except with full access your entire machine file system/camera/mic/network etc. If you are an inexperienced developer it wasn't obvious that live linking to any 3rd party code could be an issue. Electron kind of fixed that. They warn you now and default to more secure. How many devs are capable of keeping it secure is up for debate. As a related issue, it used to be (maybe still is) that by default, links you click in Electron open in Electron. So you make any app that accepts user data and links and suddenly people are browsing the entire net in an un-secured browser. And worse, they break stuff. I made an electron app and explicitly made it so all links open in the user's browser. I updated to a new version and then to my horror found whatever I had done to make sure links opened in an external browser stopped opening links in an external browser. Native apps can have exploits but most native apps aren't designed to be an environment for running arbitrary code. They're only an app for working on data. Note, I love Electron, I've used it for several projects and it's great. But I'm also afraid of it and wish OSes were themselves more sandboxed so I didn't have to worry about it. |
|
|