This repository has been archived by the owner on Dec 23, 2023. It is now read-only.
The preload script for the browserwindow is an important security risk. #7
Comments
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Look at https://github.com/electron/electron/blob/master/docs/tutorial/security.md#ignoring-above-advice . The preload script does exactly what they say we should not do. It's a boiler plate with no restriction, so it could be used to allow the browser window to load arbitrary urls. If I know who is using this app in this way, I will invite him to visit my site with a script that will access all the node api !!!
The text was updated successfully, but these errors were encountered: