Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Is loading user plugin secure? #1

Closed
aktywnitu opened this issue Feb 19, 2016 · 2 comments
Closed

Is loading user plugin secure? #1

aktywnitu opened this issue Feb 19, 2016 · 2 comments

Comments

@aktywnitu
Copy link

Hi,

I would like allow users to add guest plugins to my app.
Is it secure to Javascript app core code? - it should be private.
@justinmchase
Copy link
Contributor

it uses ssl but the api endpoints have to essentially be public.

@justinmchase
Copy link
Contributor

After re-reading this I'm understanding that you are actually asking about the safety of the plugin code itself...

The answer is that the code would be run with the same permissions as the app itself: so anything your app can do that plugin could would be able to do. Typically this would be user level permissions, which would let the plugin access the users files etc.

Probably the best solution to isolate plugin code like this if you are concerned about it would be to load it in a <webview> instead of your main app. Electron itself will isolate this code from your application and it will run in an untrusted process. This is assuming you are using these plugins inside an electron app!

If you are not running in electron you probably will need to use child_process and do the isolation yourself, or work on a native module. I'm not sure how safe or easy that would be though.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@justinmchase @aktywnitu