Security Public Service Announcement


#1

Atom integrates node and client side javascript in one package. It’s great! There’s so much power at your fingertips and makes writing extensions really easy.

There is a downside though.

We’re all used to modern browsers sandboxing sites (only gaining execution through a proper exploit).

With Atom, any remote resource that can gain javascript execution (all HTML, script, etc.), can gain access to your box.

var spawn = require('child_process').spawn,
    touch = spawn('touch', ['/tmp/plopped']);

Please be careful when displaying any amount of HTML that fetches something remote (whether in a view pane, an iframe, whatever).

Another discussion lives here: Mobile/Responsive Preview Package.


Mobile/Responsive Preview Package
#2

node-webkit, which is similar to the technology used in Atom (node.js + chromium) allows you to disable node.js in iframes and new windows, maybe Atom has something like this, although I haven’t found it yet in the API. node-webkit adds two new attributes to iframes “nwdisable” and “nwfaketop” which makes it safer to work with external, unchecked code. nwdisable is used to disable node.js in an iframe (and in new windows), nwfaketop is used to keep the external code from breaking out of the iframe by convincing the code it would already be executed at the top level of the DOM.

There is also the sandbox attribute on iframes which for example allows you to disable javascript completely in an iframe. So if Atom doesn’t have anything to make external code more secure, you might be able to use this instead.


#3

#4

What is the status of this issue? Is there a Node-Webkit like feature that disables access node apis for a specific set of sites (for example non local ones)

For example does this affect extensions like? https://atom.io/packages/atom-browser-webview