alt Hacker NewsI imagine that looks pretty bad. On the other hand, Electron apps often aren't running untrusted code, which makes it quite a bit harder to exploit.
Replies
no-name-here • today at 3:11 AM
I guess an elephant-sized exception to this are the popular code editors that support extensions? Or perhaps such editors’ extensions typically aren’t constrained at all anyway.
josefx • yesterday at 6:09 PM
Didn't some get exploited early on because electron made it trivial to load third party websites without any kind of XSS protection?
Yep. JavaScript VM breakout, Sandbox breakout and spectre/meltdown side channel leaks are all tracked as vulnerabilities towards Electron while ordinary apps don't even have such security features.