Risks on using cefpython3 with Chromium 66
84 views
Skip to first unread message
HydeNor
Oct 18, 2024, 8:56:32 AM10/18/24
to CEF Python
Hi everyone,
I would like to use cefpython3 for porting a web application to a desktop application.
I figured out that the latest official version of cefpython3 uses chromium 66, which is is pretty old (this is a version from 2018).
I wonder, which project risks exists using such an old chromium version. Are there any security issues? The application will run within a local network, which might have internet access. The application itself don't use internet connectivity.
The application seems to be compatible with chromium 66, i just had to change two small css classes so that the desktop application looks like the web application.
Thank your for sharing your knowledge with me!
Czarek Tomczak.
Feb 10, 2025, 7:08:14 AMFeb 10
to CEF Python
Hi,
If you load content that you have control over you should be fine.
Here is a more elaborate quote by Marshall Greenblatt:
CEF offers significant integration capabilities beyond what is offered by a standard Google Chrome browser installation. The trade off for these additional capabilities is that organizations using CEF must take responsibility for their own application security. CEF and the underlying open source projects (Chromium, WebKit, etc) involve a significant amount of code and offer no warranties. Organizations should document and follow best practices to minimize potential security risks. Here are some recommended best practices that organizations can consider:
Only load known/trusted content. This is by far the best way to avoid potential security issues.
Disable plugins. This will avoid a large category of security issues caused by buggy versions of Flash, Java, etc.
Do not explicitly disable or bypass security features in your application. For example, do not enable CefBrowserSettings that bypass security features or add fake headers to bypass HTTP access control.
Keep your application up to date with the newest CEF release branch. You may want to update the underlying Chromium release version and perform your own builds to take immediate advantage of any bug fixes.
Enforce good programming practices. Every organization should have best practices for design, testing and verification.
Audit your application for potential security issues. Every decision that may have security consequences should be evaluated by people who are knowledgeable about security considerations.
If you load content that you have control over you should be fine.
Here is a more elaborate quote by Marshall Greenblatt:
CEF offers significant integration capabilities beyond what is offered by a standard Google Chrome browser installation. The trade off for these additional capabilities is that organizations using CEF must take responsibility for their own application security. CEF and the underlying open source projects (Chromium, WebKit, etc) involve a significant amount of code and offer no warranties. Organizations should document and follow best practices to minimize potential security risks. Here are some recommended best practices that organizations can consider:
Only load known/trusted content. This is by far the best way to avoid potential security issues.
Disable plugins. This will avoid a large category of security issues caused by buggy versions of Flash, Java, etc.
Do not explicitly disable or bypass security features in your application. For example, do not enable CefBrowserSettings that bypass security features or add fake headers to bypass HTTP access control.
Keep your application up to date with the newest CEF release branch. You may want to update the underlying Chromium release version and perform your own builds to take immediate advantage of any bug fixes.
Enforce good programming practices. Every organization should have best practices for design, testing and verification.
Audit your application for potential security issues. Every decision that may have security consequences should be evaluated by people who are knowledgeable about security considerations.
Reply all
Reply to author
Forward
Message has been deleted
Message has been deleted
0 new messages