Inform users that Electron-based browsers are insecure

[anko]

From https://electron.atom.io/docs/tutorial/security/:

When working with Electron, it is important to understand that Electron is not a web browser.

[ ... ]

With that in mind, displaying arbitrary content from untrusted sources poses a severe security risk that Electron is not intended to handle. In fact, the most popular Electron apps (Atom, Slack, Visual Studio Code, etc) display primarily local content (or trusted, secure remote content without Node integration) – if your application executes code from an online source, it is your responsibility to ensure that the code is not malicious.

It is clear that Electron is not intended to be a framework for building a web browser. Tracking Chromium releases (which contain security updates) is not a priority for its maintainers, so min may be arbitrarily out of date, and arbitrarily insecure.

I think the readme should loudly warn users about this.

[doreminiature]

@anko, You are absolutely right!
@PalmerAL , I think Muon is next logical step in project evolution.

[PalmerAL]

Right, there are issues with this. I think it's worth pointing out that the paragraph quoted above is kind of misleading regarding Min. What the docs are saying is that, unlike a regular webpage you load in a browser, which can't do a lot to affect the local computer, the URL you give Electron to load in a window has complete access to the computer. This is completely true - any code run in the context of the Min UI (which is anything in this file: https://github.com/minbrowser/min/blob/master/index.html) has full node access. However, webpages in Min aren't loaded directly into this file - they're loaded using a webview tag, which behaves much more like a regular webpage with the limited permissions you would expect.

The lag in Chromium releases is an issue. Part of the problem is that Electron lags behind Chromium, and part of the reason is that our releases lag behind Electron releases. For example, right now, we're using Electron 1.7.8, which is based on Chromium 58. The latest Electron release is based on Chromium 59; we should be able to release more frequently to help avoid this. Meanwhile, the latest Chromium release is 62, so this obviously doesn't solve the whole issue.

Muon does seem to solve a lot of the issues with this (and support for popup windows would be nice as well). The biggest problem with Muon (and what's stopped me from considering a switch in the past) is that there seems to be almost no documentation on it. Brave's added a bunch of API's specific to their browser, and changed a bunch of things about how Electron's existing features work, and the only way (unless I'm missing something?) to figure out how to use it is to look at Brave's source code and guess what the correct API is. Meanwhile, glancing through their issue tracker, they don't seem to answer questions about it (which I completely understand, they're not obligated to, but it's a problem for us). If we migrate to Muon, I think we're going to have a lot of problems with this; I'm not really sure what the best option is here.

[PalmerAL]

Another interesting thing is this PR: electron/electron#9644. Being able to use Chromium's security sandbox would be a huge benefit, since a lot of the vulnerabilities in Chromium depend on the sandbox being disabled. The docs don't really say anything about it, but based on this sentence in https://electron.atom.io/docs/api/sandbox-option/: "To enable OS-enforced sandbox on BrowserWindow or webview process with sandbox:true without causing entire app to be in sandbox," I think it should work in a webview?

[anko]

Apologies for the above commit-reference spam. I force-pushed fixes to dumb formatting mistakes, to keep the PR at 1 commit and apparently Github insists on showing every version here…

[mfarooqi]

what is the privacy policy under min browser?

[anko]

Closing because an alternate to #445 has been merged, which informs users adequately.

@mfarooqi Sounds like a separate question. Perhaps create a separate issue?

[PalmerAL]

@mfarooqi We don't have any data collection built into the browser (and as far as I know, Chromium doesn't incude the data-collection that Chrome has, although I could possibly be wrong about that). If you have DuckDuckGo set as your default search engine, we'll send what you type in the searchbar to them to show search suggestions and instant answers. That data would be covered under their privacy policy here: https://duckduckgo.com/privacy.

[PalmerAL]

Sandboxing is enabled for macOS and Windows starting in 1.9. Once we upgrade to Electron 5.0 (which includes support for mixed-sandbox mode on Linux), we should be able to enable it for all platforms.

[djmaze]

As far as I can see, min is now at Electron 7. Has sandboxing been enabled for all platforms?

[PalmerAL]

@djmaze Yes, it's been enabled everywhere since 1.10 I think.