Skip to content

Harden app security: Electron 41, CSP, DevTools gate, entitlements#14

Merged
adibhanna merged 4 commits intomainfrom
chore/harden-app-security
Apr 17, 2026
Merged

Harden app security: Electron 41, CSP, DevTools gate, entitlements#14
adibhanna merged 4 commits intomainfrom
chore/harden-app-security

Conversation

@adibhanna
Copy link
Copy Markdown
Contributor

@adibhanna adibhanna commented Apr 17, 2026

Summary

Production-readiness pass following the audit. Four atomic commits, each independently buildable.

Commits

1. Gate DevTools menu in production, trim mac entitlements

  • View → Toggle Developer Tools is now hidden in packaged builds (still available in npm run dev)
  • Removed com.apple.security.cs.disable-library-validation — no prod native deps need unsigned dylibs
  • Kept allow-jit and allow-unsigned-executable-memory (required by Electron V8 JIT)

2. Upgrade Electron 33 → 41, electron-builder 25 → 26

  • Electron 33 is past its security window. 41 is current stable.
  • Chromium, V8, and Node bumps come along for free; no source changes needed.
  • electron-vite was not upgraded (5.x has breaking config type changes; build-time only, no runtime security impact).

3. Tighten Content Security Policy

  • Added frame-ancestors 'none' (anti-clickjacking), manifest-src 'none', explicit worker-src, connect-src
  • Added inline documentation explaining why unsafe-eval and unsafe-inline remain (function-plot, jsxgraph, mermaid, Tailwind)

4. Remove diagnostic console.log from IPC handler

  • Drop the listFontFamilies log line that leaked into prod stdout.

What was NOT changed (deliberately)

  • sandbox: false stays. With contextIsolation: true + a tight preload surface + the navigation guards already in place, this is a defensible tradeoff. Flipping it would require reworking preload IPC.
  • unsafe-eval stays. Three diagram engines depend on it. The proper future fix is iframe-sandboxed diagram rendering — tracked as its own piece of work.

Test plan

Local verification before pushing:

  • `npm run typecheck` green
  • `npm run build` green on Electron 41
  • `npm run test:run` — 5/5 pass
  • `npm audit --omit=dev` — 0 vulnerabilities
  • CI green on all three platforms
  • Smoke test packaged build (manual): confirm DevTools menu entry is absent in prod, signed mac build notarizes cleanly without `disable-library-validation`

Known conflict

`package.json` + `package-lock.json` will likely conflict with the recent `1747b12 Disable Dependabot and fold in safe dependency updates` commit. When merging, prefer this branch's versions (the Electron bump supersedes the incremental updates there).

@adibhanna
Harden production: gate DevTools menu; trim mac entitlements
74ddb0c 
- Hide the View → Toggle Developer Tools menu entry in packaged builds.
  DevTools are still accessible in dev (npm run dev) via the same role,
  so the developer loop is unaffected.
- Remove com.apple.security.cs.disable-library-validation from the mac
  entitlements. We ship no third-party unsigned native modules in
  production dependencies, so library validation should stay on and
  reject any injected dylibs.

Kept (still required):
- com.apple.security.cs.allow-jit
- com.apple.security.cs.allow-unsigned-executable-memory
Both are needed by Electron's V8 JIT under Hardened Runtime.
@adibhanna
Upgrade Electron 33 → 41 and electron-builder 25 → 26
3e8ca53 
Electron 33 is past the three-major support window and no longer
receives security patches. 41 is the current stable and puts us
back on the supported release train. Build, typecheck, and tests
pass unchanged.

- electron ^33.2.1 → ^41.2.1
- electron-builder ^25.1.8 → ^26.8.1

No source changes were needed to accommodate the Chromium, V8, or
Node.js bumps that come with this jump.
@adibhanna
Tighten Content Security Policy
96f460e 
Add frame-ancestors 'none' (anti-clickjacking), manifest-src 'none'
(no web manifest is served), explicit worker-src and connect-src,
and document the unsafe-eval trade-off inline.

unsafe-eval and unsafe-inline remain because:
  * function-plot evaluates math.js expressions at runtime
  * jsxgraph evaluates formula strings for interactive geometry
  * mermaid parser paths rely on runtime Function()
  * Tailwind and React emit inline style attributes

The proper future fix for unsafe-eval is to render diagram blocks
inside sandboxed iframes with their own relaxed CSP, keeping the
main renderer strict. That's a dedicated refactor and belongs in
its own change.
@adibhanna
Remove font-list diagnostic console.log from prod IPC handler
bb87de4
@adibhanna adibhanna force-pushed the chore/harden-app-security branch from c75eb0b to bb87de4 Compare April 17, 2026 19:44
@adibhanna adibhanna merged commit 3b39671 into main Apr 17, 2026
5 checks passed
@adibhanna adibhanna deleted the chore/harden-app-security branch April 17, 2026 19:46
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@adibhanna