Enable Electron context isolation!
A task I've had to repeatedly approach recently is fully enabling context isolation in Electron based applications; Having fully developed multiple Electron based applications and contributing to the Beet wallet development I came across Electron's 3rd suggestion - enabling context isolation for adhering to industry best standards.
They suggest simply adding the following lines to the electron configuration:
nodeIntegration: false,
contextIsolation: true
Seems reasonable, until you understand the immediate software architecture implications.
By disabling node integration the renderer can no longer access any built-in node functionality, it must take place in the main background thread in the app yet be triggered from within the renderer.
By enabling context isolation these calls to the main thread must take place through the context bridge within a preload script.
Therefore, these existing Electron applications required thousands of lines of code to be moved from the renderer into the main thread, and supporting code to be predefined in window-specific preload scripts for reference within the renderer.
Why bother you might ask? Potentially tens of thousands of lines of code being changed and moved around just for the end result to have identical functionality for the end user? Because of the security implication.
If you have enabled nodeIntegration and disabled contextIsolation, your Electron application is arguably unsafe for end user use, especially if the application interacts with user generated content (such as blockchain inputs, or wallet prompts).
In what way? If for example, a theoretical XSS attack was performed, the payload could leverage the node integration to use dangerous functions such as reading & writing files from your disk.
With node integration disabled, these node features simply don't exist in the renderer, halting small payload exploits in their tracks, and with context isolation any such XSS payload would be limited to interacting with the predefined functions exposed through the context bridge to the window, significantly reducing the attacker's potential to cause damage than if it was disabled.
Considering Electron has been enabling context isolation by default since version 12, and we're well past version 29, the task couldn't be put off any longer. Thus began efforts to apply these changes to every Electron application I contributed towards!
Electron applications with these changes applied:
If you're interested in seeing the difference, here's the BeetEOS merged PR for context isolation:
https://github.com/beetapp/beeteos/pull/14/files
New lines of code: 33.5k
Removed lines of code: 6k
Now, some of that is the reintroduction of Bitshares blockchain, but it still shows that a large rearchitecting of functional code had to occur due to setting these two electron security config lines.
If you're contributing to an Electron application, consider making these changes too. Otherwise you're putting the security of your users at risk!
I saw a recent study into electron application uptake of these security settongs, it implied that upwards of 3/4 of all Electron apps haven't implemented them. Do your part to help lower this percent!
Thanks for reading this far!
Enjoying the cyber security standard being set by the above Bitshares applications? Consider supporting continued development: