Webview vs Sandboxed Iframe for Security


What is the safest option for loading an HTML file into an Electron app that although sanitized, may contain malicious code?

Option 1: Using the <webview> tag
Option 2: Using a sandboxed iframe <iframe sandbox> with no permissions?


<webview> runs in a different renderer process and is completely standalone from parent container.

<iframe> allows you to interact with parent based on cross-domain model and whatever you enable for sandbox options.
You talk about malicious code so at a minimum you have to enable javascript in the <iframe>

Useful discussions here:


If your code needs any access to local node.js, then webview with nodeintegration=false and preload script and tight exposed API object.
I don’t think you can apply nodeintegration or webpreferences to <iframe> so running in whatever is enabled in BrowserWindow.