Fiddle: Question: Isn't this wildly dangerous?

Created on 24 Oct 2018  路  2Comments  路  Source: electron/fiddle

I love what you're doing here, but I'm concerned that newcomers may not realize that an electron application operates at a much higher level of trust than a web browser window, e.g. it can access files, network resources, etc. and that there are some bad people in the world who might try to trick them into loading malicious programs.

I see that you are at least preventing navigation, but are users informed about NodeJS integration, etc.? (Admittedly, I haven't played with electron fiddle yet, other than reading some docs and grepping some code, so I apologize in advance for my ignorance.) If there are potential security risks by default perhaps users should see a warning banner or something and have to opt-in to activate that functionality.

Related to https://github.com/electron/fiddle/issues/62

picture jacobq
👍1

All 2 comments

It's as dangerous as running npm install on a module of which you haven't carefully read the _whole_ source code of the module and all of its dependencies. Which is to say: You're right, the world is a pretty scare place and you should never run any code from someone you do not trust. So far, the Node community had to rely on that trust - I actually doubt that anyone has actually read all of the Node code they ever ran on their machine (which starts with pre- and post-install hooks in modules).

That said, we could educate people that hitting "run" on a Fiddle means that all the code they see will be executed, including in required modules.

It's a good question and I'm thankful that you've asked it. I'll close this issue for now as "answered" but I do agree that there's probably more we could do to educate users; I'd have 鉂わ笍 for feature proposals!

felixrieseberg picture felixrieseberg on 5 Nov 2018
😕1 👎1 👍1

I guess my concern isn't so much about "making it safe" but rather providing informative warning messages to help newcomers avoid being taken advantage of. (Classic example of abuse is how scammers have tried to trick people into pasting malicious code into the developer tools' console (DevTools: Combat self-xss)) Not sure what the best path is at this point.

jacobq picture jacobq on 5 Nov 2018
Was this page helpful?
0 / 5 - 0 ratings

Related issues

bpasero picture bpasero  路  5Comments
kerolloz picture kerolloz  路  10Comments
hoangph271 picture hoangph271  路  8Comments
CodingByteFly picture CodingByteFly  路  3Comments
simurai picture simurai  路  8Comments