Improve content security policy in renderer and in webview iframe #89
Comments
This was referenced Mar 20, 2023
tjcouch-sil
added a commit
that referenced
this issue
Mar 20, 2023
This was referenced May 10, 2023
|
Split a couple things out into higher priority #227 |
8 tasks
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
There are some improvements we can make to tighten security by modifying our content security policy in renderer's
index.ejsand in webview'sWebViewService.ts:index.ejsconnect-srcws:so it specifies the url we are supposed to connect to as listed inClientNetworkConnector.tsindex.ejsandweb-view.service.tsscript-srcso they don't use'unsafe-inline''unsafe-inline'needs to be here becauseiframes withsrcdocsources inherits the CSP of their parent frame and layer over it with their own. We need to move web view source to be served from the backend. Then they can have their own independent CSP. But we need to make sure to serve them from the same origin or they won't be able to use papi and such.https://stackoverflow.com/questions/30428681/is-it-possible-to-have-csp-only-apply-to-the-parent-frame-not-any-iframes
papi-extension:) - probably don't need it outside of webviews, so putting it onframe-srcand nothing else might work just fine if we get theunsafe-inlineproblem fixedwasm-unsafe-inlinefrom parent? Could that be an avenue to inject code into the parent from children? Don't think so currentlyscript-srcvsscript-src-elem(disabling in-line attribute scripts) inindex.ejsand inWebViewService.ts. Does this decision actually impact security?document.createElementand watching script and iframe tags, yes, this does impact security. We now usescript-src-elemto avoid having to watch every avenue through which inline scripts could come from children.Closely related to #227
The text was updated successfully, but these errors were encountered: