Open
Description
Motivation:
- some people want to use Node.js APIs in their projects
- those people will inevitably make their own forks
- if people want to do the horrible and insecure thing, is there value in giving them the least bad way of doing it?
- we can ensure proper warnings and discouragement
- they can still reliably get our security and feature updates
Proposed desktop editor changes:
- command line flag like
--i-will-not-ask-for-help-when-i-accidentally-install-malwarewill make editor window be started with nodeIntegration enabled- no GUI option; only command line flag
- document in README.md after userscript section
- precedent for reducing security via command line arguments exists via standard Chromium arguments
--no-sandbox,--disable-gpu-sandbox,--disable-web-security
- show non-skippable window each time this mode is used to make sure people who use this are aware of the risks
- restrict availability to installs directly from our website, not app stores, to ensure compliance
- update unsandboxed extension warning to describe actual risks