"Remote Code Execution in Slack desktop apps" https://hackerone.com/reports/783877
This is why I refuse to use Slack, Discord, etc. in their native app versions – only in the browser. Browsers have gotten pretty good at sandboxing and auto-updating. Historically, Electron apps have demonstrated themselves to be good at neither.
With an Electron app, you're basically running a custom-made browser where the authors have to be trusted to get two aspects of security right – the web dev part, and the browser dev part.
If a website is insecure, worst case scenario (most of the time) is that an attacker can get access to that site's data. If an Electron app is insecure, worst case scenario is that the attacker gets full system access to do whatever they want. That's terrifying.
Some people prefer the Electron versions of apps because they like being able to press Alt-Tab instead of having to pin a browser tab. Or they like that it's better integrated into the system notifications. For me, this is a bad reason to compromise so much security (and performance as well – you're running a whole extra instance of Chromium).
@nolan It's early days for PWA indeed. But, the technology is far ahead and ubiquitous enough that we're really just one big example away from it becoming normal.
We need one big app to go all-in and advertise its site as offline or homescreen compatible, to really seed these concepts with users at large.
... until then, it's back to the 90s with "site directories" to discover them. Here's one I like:
(Not all entries are offline, but it documents which ones are.)
This Mastodon instance is for people interested in technology. Discussions aren't limited to technology, because tech folks shouldn't be limited to technology either!