The key to security is the control over the source of content being loaded into the browser.

To prevent untrusted executable code from affecting the system, a web browser is typically isolated from an operating system and underlying hardware. However, in environments that are controlled by manufacturers or developers, this isolation can be removed to give applications full control over the system. For this, we deliberately let the Pyxis web runtime access hardware and system functions in front-end JavaScript code. It is required that all web page documents with executable code are preliminary loaded and stored locally in the file system. Only non-executable data can be exchanged with an external server via web sockets or otherwise. This prevents any malicious code from getting into the system. 

If the application requires loading content from the web for some reason, the same-origin policy requires all executable code to come from the same trusted site, where the browser is initially directed to when the system is configured.

If you have any additional questions, please email