Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Discussion about security implications for offline-only apps or apps that only load secure content

See original GitHub issue

@reZach

as per my original post, and you were nice enough to offer insights, I would love to get clarification and your thoughts on the following.

Since Electron currently does NOT implement any security mechanism to protect the src code, it would be helpful for devs to get an explanation what security implications they are facing when changing certain recommended Electron settings.

Types of apps would include: (1) online only app (e.g. Slack) (2) app that connects to remote sources, but NOT to 3rd party sources, hence the app ONLY loads verified/validated content (3) offline only app (only loads local content)

Specifically, why is the contextIsolation setting “helpful” and/or “needed” for apps (2) and (3) ?

Thanks !

Issue Analytics

  • State:closed
  • Created a year ago
  • Reactions:2
  • Comments:11 (6 by maintainers)

github_iconTop GitHub Comments

1reaction
reZachcommented, Aug 21, 2022

@reZach How about the case where you are writing a front end for a nodejs script that is normally run from the command line? In this case, it seems pointless to add any security measures as the whole point of the script was to directly access nodejs functionality, and the whole point of using Electron would be to create a nicer interface to the existing functionality. It seems like having to create a whole API would be a lot of extra unnecessary work as opposed to just dropping the existing code in. Am I missing something here?

@michael-ts I would still recommend executing the script on the backend of the Electron app, if nothing else as it allows for extensibility if you decide to distribute it to others in the future, besides adhering to the frameworks current best-practices. However if what I’m reading between the lines here is that it’s a tool for yourself as a QoL improvement, you would probably be fine dropping your script in an Electron app.

1reaction
petef19commented, May 18, 2022

With contextIsolation:true, you can still “require” things your renderer process can use

the require fn is not available in renderer process w/ ctxIso enabled, i.e. u can NOT use require in index.html, at least as far as I’ve tested (please report if you find otherwise), but I believe that is one of the main points of ctxIso, to remove that…

In my opinion, I feel malicious users would choose to exploit the fact that contextIsolation is off before trying to decompile your app. But due to the fact that you say your content is encrypted and then evaluated, I think its more secure that your use of bytenode to encrypt the renderer/main process code instead of turning contextIsolation on.

this is the same conclusion we came to (for our specific use case). But in the other thread, and another dedicated one before that, it was all dismissed and it was hammered over and over that you need ctxIso and sandbox which completely exposes the dev’s code - zero protection. I was not debating the viability of these options, but rather was looking for elaboration/input for other use cases (such as ours), but all of this was dismissed w/ bogus, non-sense arguments.

ok, thanks for taking the time and chiming in, much appreciated. Always good to have another mind think through a specific use case.

And if anybody else wants to chime in, please do ! Def open to hear anybody else solution to how you protect your code in Electron !

Thanks !

Read more comments on GitHub >

github_iconTop Results From Across the Web

Web Application Security Risks & 9 Best Practice Tips - Snyk
Nine best practices for securing your web app · Shift security left in the SDLC · Injection & input validation · User authentication...
Read more >
[Discussion] Changing the defaults for nodeIntegration and ...
Discussion about security implications for offline-only apps or apps that only load secure content reZach/secure-electron-template#110.
Read more >
App security best practices - Android Developers
This page presents several best practices that have a significant, positive impact on your app's security. Enforce secure communication. When you safeguard the ......
Read more >
Deep dive into the security of Progressive Web Apps
This approach can be used when a websites implements a very secure content security policy that does not allow inline scripts and only...
Read more >
7 Mobile App Security Risks and How to Mitigate Them
Want to make sure your mobile app is secure for users? Check out this article to learn more about how to mitigate the...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

React Devtools won't load in packaged app?

Next page

Remove remote event callbacks once template is updated to Electron v14