[CRITICAL] Sandbox disabled in browser window configuration

## Security Issue: Sandbox Disabled

**Severity**: CRITICAL  
**Location**: `src/main/windows/main.ts:361`

### Description
The Electron browser window has `sandbox: false` explicitly set, which disables Electron's sandbox protection. This is currently required for electron-trpc but creates a significant security vulnerability.

### Code
```typescript
sandbox: false  // Required for electron-trpc (commented)
```

### Risk
Disables Electron's sandbox protection, allowing the renderer process to access Node.js APIs if context isolation is breached.

### Recommendation
1. Investigate if electron-trpc has sandbox-safe alternatives
2. Research alternative IPC mechanisms that support sandboxing
3. Document the security tradeoff if sandboxing cannot be enabled
4. Consider using `@electron/remote` or custom IPC bridge as alternatives

### References
- [Electron Security Documentation](https://www.electronjs.org/docs/latest/tutorial/security#2-do-not-enable-nodejs-integration-for-remote-content)
- electron-trpc GitHub issues for sandbox support

Labels: `security`, `critical`, `electron`

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[CRITICAL] Sandbox disabled in browser window configuration #103

Security Issue: Sandbox Disabled

Description

Code

Risk

Recommendation

References

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

[CRITICAL] Sandbox disabled in browser window configuration #103

Description

Security Issue: Sandbox Disabled

Description

Code

Risk

Recommendation

References

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions