New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Enable sandbox by default #15760
Comments
👋 Thanks for opening your first issue here! If you're reporting a 🐞 bug, please make sure you include steps to reproduce it. We get a lot of issues on this repo, so please be patient and we will get back to you as soon as we can. To help make it easier for us to investigate your issue, please follow the contributing guidelines. |
While I think that this tactic is appropriate for remote content, it pretty thoroughly nukes the entire Electron ecosystem. Developers will be faced with the choice of, "Use any electron- package by disabling security, or enable security and not be able to do anything". Nuking the ecosystem has been a pretty huge disaster for many OSS projects (Python 3, QT, .NET Core), and while security is one of the few Good Reasons to do so, I think that we should think Really Hard on what we can do in order to get a Secure and Usable Electron. People do not get IPC. Full stop. Understanding IPC requires you to thoroughly understand the multiprocess model, the most confounding part of Electron, and people really don't understand how to use it effectively - even good developers will end up inadvertently making their app into an undebuggable spaghetti maze of message handoffs. Moving to a model where IPC is literally required to do anything will have a huge effect on developer productivity. At the end of the day, the issues brought up by @bcrypt et al about Electron Security, are all around way that local-only apps can get tricked into running remote content ("Every XSS now becomes an exploit"). To that end, I think the solution here is to limit the executability of content not coming from the app bundle (i.e. This model might require more deviation from Chrome (and more work!), but I believe we're at a pretty significant juncture here - if we make Electron so difficult to use in the name of Security that only Experts can build something more than "a webpage in a frame", Electron ceases to be an interesting platform. |
Hi, |
I use electron-rpc-api (which is built on pubsub-to-stream-api) for communicating with the main process as well as with the webviews. The module was originally a part of the email-securely-app project, but then got moved to a standalone project. The module is opinionated and not well polished yet, but it solves my need in converting Would be great if Electron provides an official module with similar ideas. |
@vladimiry @emmkimme Sandbox being enabled and potential IPC wrappers / improvements are separate discussions, can we keep this thread on track for discussing @nornagon 's proposal |
Yes, sure. Sorry for the digression. |
I would be in favour of this, although it would break backwards compatibility for apps, needing developers to either update their code or turn it off across a set of webPreferences. Perhaps having a call that can be made before app.setSecurityModel('classic') // enable-mixed-sandbox=false webPreferences.sandbox=false
app.setSecruityModel('sandboxed') // (default) enable-mixed-sandbox=true webPreferences.sandbox=true It still gives fine grained control for specific webPreferences as developers need it, and ensures that new apps have sandboxing enabled by default. For existing apps, developers have the option of stucking with the current behaviour or mix-matching as needed |
A couple of thoughts I had in the last day or so:
Perhaps we could somehow enable sandboxed mode by default for remote content only? I like the idea of an |
I am working on a PR to allow apps opting into a more secure behavior. Please have a look #17902 |
I think this is a great change for people who want to run with the sandbox enabled. Mainly because electron-builder re-uses the base electron executable and it therefore can not magically append the sandbox flags (the only options are to 1. write some kind of packer/wrapper or 2. a custom electron build with --enable-sandbox as default). There was no simple way to create a sandboxed electron app in a distributable form through the conventional packaging solutions. |
You can add the flag with |
Thanks, I wasn't aware of |
Very bad idea... on WSL electron 5.0 purely fails. Especially test frameworks like Cypress 3.5 is blocked on all WSL systems beacause of this sandbox proposal. Going back to older version of Electron ... |
@adomyaty55foundry Please confine your feedback to the most appropriate issue. By commenting different, but related, stuff on three different issues, it only makes it harder for us to understand the problem you're describing and makes it less likely we'll be able to help you. And since it seems that the problem you're describing is only tangentially related to the three issues you commented on, we would appreciate it if you could open a new issue and completely fill out the template so that we can have as much information as possible to understand what is going on. |
Note that electron-s sandbox conflicts with external sandboxing. An external sandbox might be preferable to the user because it can be aware of local user-s preferences. For example, it might only give access to a white list of directories and forbid the rest. So for the user, two choices are
In the above situation, many people choose the second approach. |
On some Linux distributions the `electron:serve` task won't work without the `--no-sandbox` flag. see: electron/electron#18265 electron/electron#15760 electron/electron#17972
Can someone from the electron team please confirm if this feature, sandbox mode, is production ready? As noted by @nornagon, this feature will no longer be experimental in Electron 5, but yet the docs still have a header that reads reads this feature is experimental. |
Duplicate of #28466 |
In Electron 5, sandbox mode will no longer be experimental, and running with --enable-sandbox or --enable-mixed-sandbox will be the recommended way to use Electron. In Electron 6, --enable-mixed-sandbox will be on by default and the
sandbox
webPreferences option will be true by default.This is still an early-stage proposal, so definitely keen to hear any feedback or concerns people might have!
The text was updated successfully, but these errors were encountered: