From 706b02545db81b5712eb105c2b94f824d40f6be7 Mon Sep 17 00:00:00 2001 From: Jared Vititoe Date: Thu, 2 Jul 2026 00:21:55 -0400 Subject: [PATCH] fix(security): tighten the webview CSP (was fully open) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit script-src drops unsafe-inline/blob/data/http/https (any-origin script exec is gone); the single inline shim in index.html is hash-pinned; object-src 'none', base-uri 'self'. Kept deliberately: 'unsafe-eval' (the window.eval native→web bridge + crypto wasm), broad connect-src (arbitrary homeservers), http: in img/media (plain-http homeservers), and review-added allowances for Google Fonts (VT323) and the OpenStreetMap location iframe. NEEDS RUNTIME SMOKE ON WINDOWS before release (CI can't catch CSP breakage): boot, avatars/media, VT323 renders, location map embeds, calls connect, deep links navigate. Co-Authored-By: Claude Opus 4.8 --- src-tauri/tauri.conf.json | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src-tauri/tauri.conf.json b/src-tauri/tauri.conf.json index a14ca30..9158d63 100644 --- a/src-tauri/tauri.conf.json +++ b/src-tauri/tauri.conf.json @@ -70,7 +70,8 @@ }, "app": { "security": { - "csp": "default-src 'self' blob: data: filesystem: ws: wss: http: https: tauri:; script-src 'self' 'unsafe-eval' 'unsafe-inline' blob: data: filesystem: ws: wss: http: https: tauri:; style-src 'self' 'unsafe-inline' blob: data: filesystem: http: https:; img-src 'self' data: blob: filesystem: http: https:; media-src 'self' blob: data: mediastream:; connect-src 'self' blob: ipc: ws: wss: http: https: http://ipc.localhost" + "__csp_notes": "Tightened from the fully-open policy (audit 2026-07). script-src: 'unsafe-eval' MUST stay — the native→web bridge (forward_deeplink/emit_to_web) uses window.eval, which page CSP governs (also covers the crypto wasm). The sha256 hash allows the single inline `window.global ||= window;` shim in cinny's index.html (line ~96) — if that snippet or its indentation changes, recompute the hash or the shim is silently blocked. connect-src stays broad: users connect to arbitrary homeservers (img/media keep http: for plain-http homeservers, matching connect-src). Review-added allowances: Google Fonts (VT323 stylesheet+font in index.html) and the OpenStreetMap embed iframe (m.location messages). style-src keeps 'unsafe-inline' for React style attributes.", + "csp": "default-src 'self'; script-src 'self' 'unsafe-eval' 'sha256-dT6noyex1I8o5CS9Sx/y8UOqwpZYIridpGz92gcObIM='; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; font-src 'self' data: https://fonts.gstatic.com; img-src 'self' data: blob: http: https:; media-src 'self' blob: data: mediastream: http: https:; worker-src 'self' blob:; frame-src 'self' blob: https://www.openstreetmap.org; connect-src 'self' blob: data: ipc: ws: wss: http: https: http://ipc.localhost; object-src 'none'; base-uri 'self'" } } } \ No newline at end of file