706b02545d
script-src drops unsafe-inline/blob/data/http/https (any-origin script exec is gone); the single inline shim in index.html is hash-pinned; object-src 'none', base-uri 'self'. Kept deliberately: 'unsafe-eval' (the window.eval native→web bridge + crypto wasm), broad connect-src (arbitrary homeservers), http: in img/media (plain-http homeservers), and review-added allowances for Google Fonts (VT323) and the OpenStreetMap location iframe. NEEDS RUNTIME SMOKE ON WINDOWS before release (CI can't catch CSP breakage): boot, avatars/media, VT323 renders, location map embeds, calls connect, deep links navigate. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
77 lines
3.1 KiB
JSON
77 lines
3.1 KiB
JSON
{
|
|
"bundle": {
|
|
"active": true,
|
|
"targets": "all",
|
|
"windows": {
|
|
"certificateThumbprint": null,
|
|
"digestAlgorithm": "sha256",
|
|
"timestampUrl": "",
|
|
"webviewInstallMode": {
|
|
"type": "downloadBootstrapper"
|
|
},
|
|
"nsis": {
|
|
"installMode": "currentUser"
|
|
},
|
|
"wix": {
|
|
"bannerPath": "wix/banner.bmp",
|
|
"dialogImagePath": "wix/dialogImage.bmp"
|
|
}
|
|
},
|
|
"icon": [
|
|
"icons/32x32.png",
|
|
"icons/128x128.png",
|
|
"icons/128x128@2x.png",
|
|
"icons/icon.icns",
|
|
"icons/icon.ico"
|
|
],
|
|
"resources": [],
|
|
"externalBin": [],
|
|
"copyright": "",
|
|
"category": "SocialNetworking",
|
|
"shortDescription": "Yet another matrix client",
|
|
"longDescription": "",
|
|
"macOS": {
|
|
"frameworks": [],
|
|
"minimumSystemVersion": "",
|
|
"exceptionDomain": "",
|
|
"signingIdentity": null,
|
|
"providerShortName": null,
|
|
"entitlements": null
|
|
},
|
|
"linux": {
|
|
"deb": {
|
|
"depends": []
|
|
}
|
|
},
|
|
"createUpdaterArtifacts": "v1Compatible"
|
|
},
|
|
"build": {
|
|
"beforeBuildCommand": "cd cinny && npm run build",
|
|
"frontendDist": "../cinny/dist",
|
|
"beforeDevCommand": "cd cinny && npm start",
|
|
"devUrl": "http://localhost:8080"
|
|
},
|
|
"productName": "Lotus Chat",
|
|
"mainBinaryName": "cinny",
|
|
"version": "4.12.2",
|
|
"identifier": "org.lotusguild.lotus-chat",
|
|
"plugins": {
|
|
"updater": {
|
|
"pubkey": "dW50cnVzdGVkIGNvbW1lbnQ6IG1pbmlzaWduIHB1YmxpYyBrZXk6IDM1N0Y0RThCQTJEQzY1NTkKUldSWlpkeWlpMDUvTlVjejMzN0E1U0FiaVpLK05QVkRXdWlMMm1NNUprMXAvTGZSbU5maVovNmwK",
|
|
"endpoints": [
|
|
"https://code.lotusguild.org/LotusGuild/cinny-desktop/releases/download/latest/release.json"
|
|
]
|
|
},
|
|
"deep-link": {
|
|
"desktop": {
|
|
"schemes": ["matrix"]
|
|
}
|
|
}
|
|
},
|
|
"app": {
|
|
"security": {
|
|
"__csp_notes": "Tightened from the fully-open policy (audit 2026-07). script-src: 'unsafe-eval' MUST stay — the native→web bridge (forward_deeplink/emit_to_web) uses window.eval, which page CSP governs (also covers the crypto wasm). The sha256 hash allows the single inline `window.global ||= window;` shim in cinny's index.html (line ~96) — if that snippet or its indentation changes, recompute the hash or the shim is silently blocked. connect-src stays broad: users connect to arbitrary homeservers (img/media keep http: for plain-http homeservers, matching connect-src). Review-added allowances: Google Fonts (VT323 stylesheet+font in index.html) and the OpenStreetMap embed iframe (m.location messages). style-src keeps 'unsafe-inline' for React style attributes.",
|
|
"csp": "default-src 'self'; script-src 'self' 'unsafe-eval' 'sha256-dT6noyex1I8o5CS9Sx/y8UOqwpZYIridpGz92gcObIM='; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; font-src 'self' data: https://fonts.gstatic.com; img-src 'self' data: blob: http: https:; media-src 'self' blob: data: mediastream: http: https:; worker-src 'self' blob:; frame-src 'self' blob: https://www.openstreetmap.org; connect-src 'self' blob: data: ipc: ws: wss: http: https: http://ipc.localhost; object-src 'none'; base-uri 'self'"
|
|
}
|
|
}
|
|
} |