Serve HTML pages with a custom protocol in all project templates by defaultΒ #4099
Description
Pre-flight checklist
- I have read the contribution documentation for this project.
- I agree to follow the code of conduct that this project uses.
- I have searched the issue tracker for a feature request that matches the one I want to file, without success.
Problem description
The Electron security guidelines discourage the use of the file:// protocol for serving app pages, yet the templates still employ this approach by default. This creates extra work for the developer that doesn't know about it (which makes the situation even more dramatic) because a newly created project is expected to be a safe foundation for future work. Moreover, the current situation almost certainly leads to unsafe code reaching production.
Proposed solution
Serve app pages using a custom protocol instead of the file:// protocol in all templates used by create-electron-app
Alternatives considered
Solution like "add a warning to the doc" is not even an option when it's possible prevent the problem at all with safe templates
Additional information
No response