Not that I’m aware of.

It doesn’t have to be what most consider malware. Does it ever talk to google for/about anything?

Chromium itself is 100% open source… if there were some nefarious Google back door, it’s out there in the open waiting to be found.

I agree Google’s behavior is problematic at times, but implying that they’ve embedded malware in an open source project is totally unsubstantiated. Even a company wanted to be evil, that’s not the way to do it… it’s just too easy to get caught!

My question: since google does Nothing out of the goodness of their heart, what access Do they have?

FYI: I use none of the applications on your list

Since you mentioned the Flight Sim Labs debacle, it’s worth noting that CEF running in an app is 100% separate from any installation of Chromium or Chrome on your PC. That means no access to shared passwords, cookies, history, etc.

Now obligatory where is my __________ barb (seasons!)

Ahhh! I understand now. What you’re talking about was Austin’s support for untowered operations. I’m not sure what the state of that is right now, but we discovered a handful of show-stopping issues that required the entire project to be put on the back burner. Austin was… a few orders of magnitude too optimistic in suggesting it would be “no problem” to get it into 11.10.

Hehe. In an attempt to not belabor the point, I actually left off from that list the fact that both Unity and Unreal (the two most widely used game engines) support CEF out of the box.

So, no, it is factually inaccurate to say that games don’t use webviews.

Also I’m glad that you are fully aware of the security risk which is not a question of personal interest or taste but a real problem that no one should ever underestimate!

What ever will be your counter measure against the the persistent threat of malicious online activity – a “master switch” for the user to enable or disable online connectivity of CEF should be implemented.

If there is online traffic caused by CEF, the user
a) should be aware of it and
b) needs to be the final authority to approve or disapprove it.

The default setup of such a “master switch” should be “off”.

3rd party devs then need to be encouraged to explain why they use CEF and why it is required to switch it to on or what feature will be hampered or non-functional if the switch is turned to “off”.

I do not know if “off” could also disable already implemented CEF versions used by other developers. I wish it was possible.

Also it should be tested if security software is reliably compatible to X-Plane’s CEF implementation. I know that this will be very very difficult because there is a bunch of different security software available – for Windows, Mac and Linux! You should consider that security software also could flag X-Plane itself as malware when using CEF:
==========================
>>One worry is that if too many instances of CEF are being used for malicious purposes, it might lead to the framework being blacklisted by endpoint security products. “Given the large number of companies currently using libcef for legitimate purposes I think it’s unlikely that we’ll end up on any anti-virus black lists,” Greenblatt said. “Companies are also encouraged to sign all of their binaries, including CEF binaries, before distribution.”<<
==========================
source: https://www.darkreading.com/risk-management/malware-developers-hijack-chromium-framework/d/d-id/1109259

"I think it's unlikely that we'll end up on any anti-virus black lists […]" – this is an opinion and some degree of hope but no guarantee!

Chromium requires patches – just like any other browser, embedded as a frame work or stand alone. Also Steam is updating and patching there portal software. But X-Plane cannot update/patch it for add-on compatibility reasons – this makes me a little nervous.

Again: I got your point but opening "Pandora's Box" also is a question of responsibility. I assume that it will be the user who'll have to take all risks but if so, the user really – as a minumum – requires active control about if/how CEF talks to the (dirty) internet.

If VR users then like to benefit from CEF – even for browsing cat videos – why not? But it needs to happen by user's intention and not because of any unknown activity "under the hood".

You may think now that I am suffering from paranoia, but security risks are growing dramatically. I understand that CEF is already being used by some add-ons – but this is no excuse to accept additional security issues being implemented by X-Plane.

Regards,
Marc

I get people are concerned about the security of it, but this is where as a user you manage the risk, you may feel comfortable reading the news, watching videos or using web based flight planning, just don’t do your banking in any CEF based application. If you think the scope of CEF is limited to a fancy EFB on payware aircraft, that’s a very narrow snapshot of the potential, look further.

The possibilities for devs with even read/write on datarefs exposed through a javascript API is huge. Think about the requirements for people extending X-Plane right now, they need a background in cross-platform dev (C/C++, other compatible binary) or Lua most commonly, not a problem for some people. If you just add the people with web development skills to that group, you’re in a good place.

The positive thing here is the scope of what CEF exposes to JS is under control of LR, they can limit you to a single dataref or go, “you know what, that UI was so 2017 let’s use CEF for everything”. I’m confident LR wont cripple the implementation to the point we will never see a return on investment from the overhead, that’s a good place to be.