undefined | Better HN

0 pointsintelVISA3y ago0 comments

Only thing I can't handle is how Red Hat, with its bllions, can't afford a few extra dollars for user-respecting, secure native GUIs.

0 comments

3 comments · 1 top-level

ragnese3y ago· 2 in thread

I hate Electron apps, too, but I've not heard people complain about security before. What's the security problem with Electron apps?

I understand that you're basically running a Node.js instance for each app, but why is that more insecure than running, say, a GTK app? Since GTK and Node.js are written in C and C++, respectively, my gut instinct would be to assume they're equally likely to have security bugs.

cjbprime3y ago

The difference is that no-one would load remote-user-supplied C++ code at runtime and expect it not to result in vulnerability, but people remotely source JS, or allow remote-user-supplied HTML to interact with their JS, and the stakes are higher than they would be in a web browser, because Node (and therefore Electron) has APIs to e.g. read and write to your filesystem and browsers have sandboxes to block that.

(Electron offers sandboxing too, but you're likely to actually want to use the OS features so it's not as simple as always disallowing the access.)

wiseowise3y ago

Quick search https://www.cvedetails.com/vulnerability-list.php?vendor_id=...

j / k navigate · click thread line to collapse