When Electron.jl launches a new electron process, it passes a secure cookie which is then used to authenticate the electron process when it tries to connect back to the Julia process. I’m not sure I understand the purpose of this, for several reasons:
The cookie is passed on the command line; hence it can be seen by many other processes on the system; hence it isn’t really secure.
Blink.jl seems to be doing just fine with no authentication at all. What is different about Electron.jl that Electron.jl needs authentication but Blink.jl doesn’t?
Impressive detective skills! I’m pretty sure I tried looking at the git blame, but I wasn’t able to piece the story together as clearly as you did.
So to wrap it up, it seems the story here is that the secure cookie was originally intended to be passed via Electron’s stdin (hence securely), but then that doesn’t work on Windows and so the cookie was moved to the command line as a quick fix to make things work again.
That’s right, and the quick fix turned into a not-so-quick fix
Realistically though I’m not sure there’s actually a security hole here: It seems Electron only uses local sockets (unix domain sockets / windows named pipes), so an attacking process probably needs to be running as the current user (see Named Pipe Security and Access Rights - Win32 apps | Microsoft Docs for windows. For unix it depends on the permissions of the socket file which is created.).
If you’ve got an untrusted process running as the current user, the game is pretty much over anyway!