Secure Build #17
Description
Supply a secure build alternative without all the short polled price callbacks and Shifty (provides JS with no checksum checks or other validations) and if possible prevent any connections in Electron(specifically Chromium) to anywhere but the localhost/127.0.0.1.
Once we determine what exactly needs to be changed to harden it, it will just be as simple as creating a script and adding it to the gulp build script.
So this allows people to have a significantly more secure GUI client with very little additional time invested.
I'm worried particularly about potential XSS attacks
When trying to determine if I could limit the host range in Electron I found this article for those interested in the topic. This may do a better job of articulating the issue in the Electron context then I could.
http://blog.scottlogic.com/2016/03/09/As-It-Stands-Electron-Security.html