If an attacker manages to inject a <script> tag in an Electron app (for example because the app failed to sanitize user input stored in a remote server), it seems like they would have nearly absolute control over the victim's machine. For example, they could require('fs') and do whatever they want with the victim's file system, e.g. destroy their home folder, snoop on sensitive data, etc.

In the database world, injection is mitigated not only through input sanitization, but also by ensuring the user has the least permissions possible so that in the event an injection slips through, the damage is limited. (E.g. read-only permissions, or permissions limited to specific tables, etc).

Alas, it looks like Electron doesn't offer a security model to prevent/mitigate such script injections?

Turning off node-integration would solve the issue, but would also defeat one of the central purposes of Electron (i.e. providing non-web functions). IPC in principle could be used to expose only a limited set of capabilities, but as explained in #456 there's no way to use ipc without enabling require() for all Node core modules.

Am I missing something? Thanks!