You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository has been archived by the owner on Sep 29, 2023. It is now read-only.
In the version currently in git, nativefier does not pass sandbox: true when creating windows. This means that there are potentially privilege escalation exploits not present in a normal browser. I haven't been able to find any specific ones, but it's still pretty scary to have sandbox disabled. I'll likely look at enabling it soonish.
The text was updated successfully, but these errors were encountered:
I think I experimented with the sandbox option before and determined that it broke the behavior of some websites that show popups. I suspect that it has to do with window.open reverting to standard Chromium behavior (instead of Electron behavior), as described in the above-linked docs. But, maybe I'm misremembering, or perhaps that behavior has changed since I tried it (it was electron v3).
I've made modifications locally to the installed nativefier and it seems that this has no functional impact. This is definitely something that should be turned on from a security point-of-view.
Description
In the version currently in git, nativefier does not pass
sandbox: true
when creating windows. This means that there are potentially privilege escalation exploits not present in a normal browser. I haven't been able to find any specific ones, but it's still pretty scary to have sandbox disabled. I'll likely look at enabling it soonish.The text was updated successfully, but these errors were encountered: