For my own part, I find the introduction that specifically warns that Electron is not a web browser and should not be trusted to handle potentially malicious code from over a network to be clear enough. I understand that this is an opinion that not everyone will share.
For a single specific example, look at the information on permissions and compare to how min handles them. I also see no functionality that attempts to determine if code is malicious or not. Chrome does have measures in it to do this.
That said, I need to be clear. The matter at hand is not a matter of mere configuration and cannot be addressed by better configuration of Electron. Chromium was designed and built to run in a very hostile context. Electron has been built to run in a much more trustworthy context. There is no amount of configuration that will turn the latter into the former because it is not purely a difference of configuration.
Electron's security model is not bad in any absolute sense. It's designed for a particular context and set of scenarios. Dropping it into a very different one with very different needs makes it a poor fit for the job at hand. You may as well descend into a volcano with a home stove potholder.
I hope this has clarified matters. I understand that some people will be very discouraged by the stance I have taken on this. I have no desire to crush their dreams, only to ensure they make good and wise decisions around security.
For a single specific example, look at the information on permissions and compare to how min handles them. I also see no functionality that attempts to determine if code is malicious or not. Chrome does have measures in it to do this.
That said, I need to be clear. The matter at hand is not a matter of mere configuration and cannot be addressed by better configuration of Electron. Chromium was designed and built to run in a very hostile context. Electron has been built to run in a much more trustworthy context. There is no amount of configuration that will turn the latter into the former because it is not purely a difference of configuration.
Electron's security model is not bad in any absolute sense. It's designed for a particular context and set of scenarios. Dropping it into a very different one with very different needs makes it a poor fit for the job at hand. You may as well descend into a volcano with a home stove potholder.
I hope this has clarified matters. I understand that some people will be very discouraged by the stance I have taken on this. I have no desire to crush their dreams, only to ensure they make good and wise decisions around security.