A security issue exists whenever you receive code from an untrusted source (e.g. a remote server) and execute it locally. As an example, consider a remote website being displayed inside a default BrowserWindow. If an attacker somehow manages to change said content (either by attacking the source directly, or by sitting between your app and the actual destination), they will be able to execute native code on the user's machine.
⚠️ Under no circumstances should you load and execute remote code with Node.js integration enabled. Instead, use only local files (packaged together with your application) to execute Node.js code. To display remote content, use the tag or BrowserView, make sure to disable the nodeIntegration and enable contextIsolation.
While you are using a local file here, it's worth noting that this can apply if you're loading e.g. JavaScript from a remote source in that file, or remote JavaScript called from a local JS file.
Might also want to strip this from the output if app.isPackaged === true when you package (not just wrap the function to run if false) to ensure it's not running in production. electronjs.org/docs/api/app#appisp....
In the case of Electron, because it has access to Node APIs like fs AND remote frontend code, extra considerations are necessary to keep yourself and your users from getting pwned.
Obligatory security warning:
electronjs.org/docs/tutorial/security
While you are using a local file here, it's worth noting that this can apply if you're loading e.g. JavaScript from a remote source in that file, or remote JavaScript called from a local JS file.
Might also want to strip this from the output if
app.isPackaged === true
when you package (not just wrap the function to run if false) to ensure it's not running in production. electronjs.org/docs/api/app#appisp....In the case of Electron, because it has access to Node APIs like
fs
AND remote frontend code, extra considerations are necessary to keep yourself and your users from getting pwned.Thanks! And totally agree. Always have to keep an eye on the security concerns, especially with Electron apps.