[5-]

> Firefox

should be able to just use the mozilla's official build which comes with an auto-updater (and it implements the sandbox itself, so no need for another one on top).

> Zotero

> Joplin

both electron shells. also come with their sandbox already. most rolling release distributions would just package these with a system-provided electron build.

[smashed]

> both electron shells. also come with their sandbox already.

Not sure about the 2 specific apps posted, but web applications packaged as electron apps often do so in order to easily escape the normal browser sandbox without having to prompt for permissions? Or even call into native code which would be impossible from a web app.

I would not think that because an app is electron based, it is sandboxed from your system.

Ideally if you can run the same app under your normal web browser, you'd be fine. I see many people install the Slack app for example, but the web version works just as well within the full browser sandbox.

[c-hendricks]

You're correct. In fact, they can even let webpages break out of the sandbox. So, some random JS loaded from the web can now compromise your system.

The person you're replying to is quite mistaken.

[teruakohatu]

> Zotero

> both electron shells

Zotero is a XUL application, not Electron. The soon to be released version 7 is a major rewrite and is based on Firefox.

Zotero is one of those cruitual applications where Flatpak is nice. I want it to be self contained. I don't want anything messing it which could lose me weeks of research.

[pengaru]

> (it implements the sandbox itself, so no need for another one on top).

"An unexpected message in the WebGPU IPC framework could lead to a use-after-free and exploitable sandbox escape." [0]

Defense in depth applies here, you definitely want to sandbox any network application as complex as a modern web browser.

[0] https://nvd.nist.gov/vuln/detail/CVE-2022-26486

[Hamcha]

I always assume Electron apps are going to be more vulnerable than your average app. They tend to have the same vulnerabilities as web browsers (who are a big target for exploits given the reach) but have 2 additional layers of "bureaucracy" (the App's own update schedule and Electron's) before the underlying vulnerable engine is patched.