Differential Security Analysis of Cross-Platform Electron Applications

This thesis presents an in-depth analysis of security mechanisms in Electron-based cross-platform applications, specifically examining how it manages HTTP headers and security mechanisms compared to Google Chrome. The research evaluates Electron's handling of critical headers through both manual testing and the use of the Web Platform Tests (WPT) cross-browser test suite. Special attention is given to vulnerabilities introduced by Electron’s unique architecture, including its use of webviews and local HTML files, which may enable bypasses of standard security protocols. We then explore the implications of local file handling in regards to the fundamental web security notion of an origin, and find that it substantially differs from that of modern browsers. In summary, this study identifies significant security gaps, particularly in how Electron handles CORS, permissions, and origins in local file contexts. These discrepancies can expose Electron applications to cross-origin resource-sharing issues, inconsistencies in cookie handling, and unintended permission granting. This enables a series of significant threats, including allowing third-party web resources to freely navigate through the file system and access sensitive information. In light of these findings, we advocate for implementing stricter default security settings in Electron to better protect applications and their users.