Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Electron: From Awesome To Scary And Back Again (ScotlandJS)

Ba0668208a6e892c6849d75e083c4b41?s=47 FHV
July 20, 2018

Electron: From Awesome To Scary And Back Again (ScotlandJS)

Electron lets you use JS to write cross-platform desktop applications that look like the real deal -- that's kinda cool? But the thing ships with a million scary security warnings! So, what are some of the fun things you could do with it, how could they go wrong, and how do you make them safe?

Ba0668208a6e892c6849d75e083c4b41?s=128

FHV

July 20, 2018
Tweet

Transcript

  1. Title

  2. Hi.

  3. Table of contents • The what and why of Electron

    • The Electron security model • How to Electron safely • Some optimism!
  4. What is it? Why is it?

  5. How does it work?

  6. Nodejs Chromium

  7. Code example with require()

  8. None
  9. The security model

  10. Browser sandbox

  11. Diagram of user space?

  12. None
  13. repeat: code example with require()

  14. XSS snippet

  15. None
  16. Scary nodejs xss possibilities

  17. None
  18. None
  19. How to Electron safely

  20. node_modules

  21. Npm audit

  22. Page loads from all over the place

  23. wysiwyg

  24. totally restrictive CSP

  25. CSP screenshot

  26. Electron updates are your friend

  27. Lots of eyes audit audit audit

  28. None
  29. None
  30. None
  31. Now for some optimism…

  32. None
  33. None
  34. the threat model of a desktop app

  35. None
  36. Conclusion

  37. resources

  38. Contact info

  39. None
  40. Hi.