[nicoburns]

I imagine that looks pretty bad. On the other hand, Electron apps often aren't running untrusted code, which makes it quite a bit harder to exploit.

[nolist_policy]

Yep. JavaScript VM breakout, Sandbox breakout and spectre/meltdown side channel leaks are all tracked as vulnerabilities towards Electron while ordinary apps don't even have such security features.

[no-name-here]

I guess an elephant-sized exception to this are the popular code editors that support extensions? Or perhaps such editors’ extensions typically aren’t constrained at all anyway.

[Filligree]

The last one. It would make sense to have a sandbox system, but they don’t.

[josefx]

Didn't some get exploited early on because electron made it trivial to load third party websites without any kind of XSS protection?