Files
cinny-desktop/src-tauri
jared 1c05ef6a7a
Build Lotus Chat Desktop / prepare (push) Successful in 5s
Build Lotus Chat Desktop / build-linux (push) Successful in 23m28s
Build Lotus Chat Desktop / build-windows (push) Successful in 23m28s
Build Lotus Chat Desktop / update-manifest (push) Successful in 8s
fix(config): drop the __csp_notes field — Tauri config schema is strict
`app.security.__csp_notes` failed `tauri.conf.json` schema validation
("Additional properties are not allowed") on BOTH platforms before any
compile. JSON can't hold comments and Tauri forbids extra keys, so the
rationale lives here instead:

CSP rationale (audit 2026-07): tightened from the fully-open policy.
- 'unsafe-eval' MUST stay: the native→web bridge (forward_deeplink /
  emit_to_web) uses window.eval, governed by page CSP; also covers crypto wasm.
- The sha256 hash allowlists the single inline `window.global ||= window;`
  shim in cinny's index.html (~line 96). If that snippet or its indentation
  changes, recompute the hash or the shim is silently blocked.
- connect-src / img-src / media-src keep http: (plain-http homeservers).
- Review-added: Google Fonts (VT323) + OpenStreetMap iframe (m.location).
- style-src keeps 'unsafe-inline' for React style attributes.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-07-02 09:37:31 -04:00
..
2022-04-29 19:52:14 +05:30
2026-03-03 23:16:04 +11:00
2026-05-15 19:16:31 +10:00