-
Notifications
You must be signed in to change notification settings - Fork 0
Security
BiosSystem edited this page May 22, 2026
·
2 revisions
The Universal Retro Arcade is built on Tauri v2 and Phaser, combining web frontend speed with Rust security. This document outlines the security architecture and local sandboxing models.
Tauri limits access to the underlying OS by restricting IPC (Inter-Process Communication) commands.
- Isolation Pattern: The frontend cannot run shell scripts, read arbitrary filesystem paths, or query external domains unless explicitly allowed.
- Allowed Command Set: The Rust core only exposes endpoints for local configuration reading/writing and local high score database persistence.
- No Remote Code Execution: Dynamic HTML evaluation and remote iframe imports are blocked via strict Content Security Policies (CSP).
High scores and configuration parameters are stored locally via IndexedDB.
- State Validation: On boot, the game engine runs basic type-checking and value clamping on stored scores.
- Prevention of Tampering: Although local WebGL states can be modified in developer consoles, the launcher validates score metrics to ensure impossible high scores (e.g., scoring millions of points instantly) are excluded from the local leaderboards.
GLSL shaders (including the CRT post-processing filter) execute within the GPU pipeline managed by the browser wrapper.
- Memory Caps: Shaders use bounded coordinate mappings to avoid out-of-bounds float calculations or buffer read/write overflows.
To report vulnerabilities or security issues, please contact the security team directly at security@bios_system.io.