Webview vs Sandboxed Iframe for Security


#1

What is the safest option for loading an HTML file into an Electron app that although sanitized, may contain malicious code?

Option 1: Using the <webview> tag
Option 2: Using a sandboxed iframe <iframe sandbox> with no permissions?


#2

<webview> runs in a different renderer process and is completely standalone from parent container.

<iframe> allows you to interact with parent based on cross-domain model and whatever you enable for sandbox options.
You talk about malicious code so at a minimum you have to enable javascript in the <iframe>

Useful discussions here:
https://www.tinfoilsecurity.com/blog/protect-your-website-from-embedded-content-iframe-security


https://slack.engineering/building-hybrid-applications-with-electron-dc67686de5fb#.806kytc8y

If your code needs any access to local node.js, then webview with nodeintegration=false and preload script and tight exposed API object.
I don’t think you can apply nodeintegration or webpreferences to <iframe> so running in whatever is enabled in BrowserWindow.