Basically as one found example which has me questioning this ability: Bootstrap Studio allows live page editing and rendering (HTML/CSS) in app as well as external preview via browsers. However live JS rendering in app (JQuery, Vanilla JS, Libraries, etc.,) is disabled and stated by the developer as a security risk in the Electron app (see quotes below).
Is this indeed a security risk or limitation within an Electron app? Or can it be accomplished to allow for securely rendering JS in app via a live preview? In my research I can’t seem to find a definitive answer only fragmented bits of information in various places. But perhaps I am querying the wrong topics and google searches.
Any general or specific insight, information or the proper needed methods and techniques to consider regarding how this could be successfully accomplished “securely” in an Electron App, or the specific reasons why it in fact can’t be successfully accomplished based upon Electrons current security limitations would be very helpful to understand.
So are there any existing apps anyone is aware of created with Electron that demonstrate this ability to render JS live successfully and securely in app? Or why for example BootStrap Studio or other apps built with Electron would be limited in doing so?
I trust that all made sense. Thanks in advance everyone for your time and knowledge. I’m looking forward to everyones responses and feedback.
Below I included some quotes / discussions found on the BootStrap Studio forum from the developer discussing the topic of security and running JS / etc., in an Electron app.
[details=Click to see Security Quotes and Discussion]> https://bootstrapstudio.io/forums/topic/export-script-coding-with-js-and-node/#post-5368
Bootstrap Studio is indeed developed in Electron, but we can’t execute your scripts in the same process for security reasons. Your code needs to be run in a separate process.
The Object element is a powerful feature that we would like to add to the app eventually. The only issue that we have with it, is that it can be used to embed things like flash, pdfs and web pages which can’t be properly secured for display within the application itself. Even SVG files embedded within can become a security concern, as they can execute JS code.
This is the only way we can make it work securely. Unfortunately this means that in some cases what you see in the app itself will be different from the preview and export.
JS can’t be added to the application, sorry. It is not technically possible to do safely, and it will be catastrophic to expect people to never screw up their code. It can only be done in a new process with its own window, but by that point you have an alternative to the current Preview, which you can already use to test your code.
Thank you for the suggestion! < and > are escaped for security reasons and I think it will be best to not change it. But you can use Custom Code for this.
- on* attributes aren’t supported for security purposes and they are ignored in the application (and as you’ve seen, they are stripped from the preview and export code as well).[/details]