Electron fuse support for disabling bad flags (--disable-sandbox, --remote-debugging-port, etc.)
phamminhvu opened this issue · comments
Hi Team,
We are working on an project as base. on the electron to build the application for Windows.
I see the in the electron version 12.x.x we merged fuses to support the option "Run as Node" but I see in the ticket here:
electron/electron#24241
This PR implements one use case (disabling ELECTRON_RUN_AS_NODE), other potential use cases which could be implemented in the future using this system.
- Disabling bad flags (--disable-sandbox, --remote-debugging-port, etc.)
- Disabling the node debugger
- Disable the app, app.asar, default_app.asar load path search and enforce only one of those is ever searched
- Enforce certain webPrefs (E.g. all webContents must have sandbox, contextIsolation, etc.)
- Other wild stuff that depends on other crazy ideas
Could we have the planing for next options support( f.e: - Disabling bad flags (--disable-sandbox, --remote-debugging-port, etc.). What electron version We can support this option?
Thank you very much for support!
Jason
Since there's a ticket about removing these flags, I'll add a couple more options that I'd like to be able to disable:
--inspect-brk--inspect-brk-node--inspect-port--inspect--inspect-publish-uid--remote-debugging-pipe--remote-debugging-port--js-flagsSIGUSR1
Actually, I made a package that disables all of them by patching the Electron binary in different crazy ways (it's using the "fuses" feature for ELECTRON_RUN_AS_NODE, it would not be possible to disable this thing without it), however I don't like this solution, it's fragile and it's very likely to break. I would love to see support for this in Electron fuses!
Also see a discussion in the ticket I opened previously: electron/electron#24260, it's unlikely to be fixed in Electron, but then, on the other hand, I'm curious why a switch for ELECTRON_RUN_AS_NODE was implemented 🤔. In any case, I don't see any harm in adding feature toggles (fuses) for the debugging features.
// You should probably open this issue in Electron and not here, but I don't know.
NodeJS debugging flags can now be disabled by fuses (see the README for the flags to use). Chromium debugging flags are a different beast that will have to be potentially dealt with separately (if it's even possible).