Files
cinny-desktop/src-tauri
jared 706b02545d fix(security): tighten the webview CSP (was fully open)
script-src drops unsafe-inline/blob/data/http/https (any-origin script exec is
gone); the single inline shim in index.html is hash-pinned; object-src 'none',
base-uri 'self'. Kept deliberately: 'unsafe-eval' (the window.eval native→web
bridge + crypto wasm), broad connect-src (arbitrary homeservers), http: in
img/media (plain-http homeservers), and review-added allowances for Google
Fonts (VT323) and the OpenStreetMap location iframe.

NEEDS RUNTIME SMOKE ON WINDOWS before release (CI can't catch CSP breakage):
boot, avatars/media, VT323 renders, location map embeds, calls connect, deep
links navigate.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-07-02 08:49:07 -04:00
..
2022-04-29 19:52:14 +05:30
2026-03-03 23:16:04 +11:00
2026-05-15 19:16:31 +10:00