Capacitor 2 and Security

Capacitor 2.0 should fix the XSS issue that Cordova has always had, and split the code between privileged code (backendish) and UI code, and be multi-process.

Capacitor 1.1 turned off Electron security protections to make things work as they always have. In Capacitor 2 you have the opportunity to have the business logic run in a separate thread than the UI, and add the privileged code there. And such logic would not need to hold up the UI thread, allowing for a smoother app.

One XSS in an iPhone app and maybe they own that app. One XSS in an Electron app and they could wipe out your whole PC and life. There is a reason why Electron changed the defaults. You could even use multiple “backend” hidden renders (see electron-remote for an example).

Can you elaborate and provide links about the Cordova’s XSS issues?

Just search for: cordova xss xas