This is a fairly exciting presentation about the dangers of injecting user controlled content into an Electron app. Short version: Don't.https://twitter.com/hasegawayosuke/status/789330285179514880 …
IIUC it wouldn't solve the problem because of other ways to trigger navigations. Also, it's not backward-compatible and would break ∞ :(
-
-
What other ways are you thinking of? *shrug* I’m sure it would break some things, but 0.001% is not a lot of percent.
-
Links, form submissions, <iframe> navigating http://window.top , etc. I'm wary of believing UMA here, but I have no data to prove it :/
-
I believe our metrics! Unless they tell me things I don’t want to hear.
-
I think another point here is that meta refresh allows dangling markup without user interaction.
-
Can you? Starting in 61, we should be blocking requests that contain newlines and ‘<’, which I hope mitigates this risk.
-
cool, will test it then :)
-
CC me on the bugs you file. :)
-
Sorry, seems like I don't have permission to CC you :P https://bugs.chromium.org/p/chromium/issues/detail?id=749852 …
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.