@bluca @pid_eins @phako writing js is as hard as any other program, and it is turing complete which makes "configuration" uncheckable (unless you solved the halting problem) and this is definitely not good security.
A decent basic configuration set + extension via IPC for those extremely rare cases where you would need it (and that you can block) would be much better from a security pov.
@bluca @pid_eins @phako Most people can't think adversarially when writing code, which means using js to configure access to a high privileges is very risky. And can't be easily checked for correctness.
If you do anything more complex than just assigning variables you risk opening huge holes by not paying attention at how things are evaluated.