This repository was archived by the owner on Dec 23, 2023. It is now read-only.
This repository was archived by the owner on Dec 23, 2023. It is now read-only.
The preload script for the browserwindow is an important security risk. #7
Description
Look at https://github.com/electron/electron/blob/master/docs/tutorial/security.md#ignoring-above-advice . The preload script does exactly what they say we should not do. It's a boiler plate with no restriction, so it could be used to allow the browser window to load arbitrary urls. If I know who is using this app in this way, I will invite him to visit my site with a script that will access all the node api !!!