File: crates/web/index.html:32
Severity: security
Obvious? yes
connect-src 'self' ws: wss: https: permits XHR/fetch/WebSocket connections to any host on those schemes. Any XSS or supply-chain JS injection (or even a maliciously-crafted relay-URL probe) can exfiltrate identity keys, channel keys, and message bodies to an attacker-controlled https://exfil.example or wss://... endpoint with no CSP block. The justification comment (relay WebSocket + /bootstrap-id HTTP probe) does not require a wildcard — relay URLs are user-configured but a finite set; the app could pin the configured relay's origin at runtime via a per-session CSP nonce, or at minimum rely on the existing relay_addr configuration to enumerate wss://relay.willow.dev wss://localhost:* https://relay.willow.dev. Combined with the still-present script-src 'unsafe-eval' (line 32, tracked by #171/#425), the CSP provides no meaningful exfiltration containment if any script-execution gap exists.
Fix: replace the https: and wss: wildcards in connect-src with the concrete relay origin set, or generate the directive at build time from relay-config. At minimum, drop https: (only /bootstrap-id of the relay is fetched, which is reachable via wss: itself or a same-origin proxy).
Filed by /general-audit @ 88498a5 (2026-05-04). master: #600.
File:
crates/web/index.html:32Severity: security
Obvious? yes
connect-src 'self' ws: wss: https:permits XHR/fetch/WebSocket connections to any host on those schemes. Any XSS or supply-chain JS injection (or even a maliciously-crafted relay-URL probe) can exfiltrate identity keys, channel keys, and message bodies to an attacker-controlledhttps://exfil.exampleorwss://...endpoint with no CSP block. The justification comment (relay WebSocket +/bootstrap-idHTTP probe) does not require a wildcard — relay URLs are user-configured but a finite set; the app could pin the configured relay's origin at runtime via a per-session CSP nonce, or at minimum rely on the existingrelay_addrconfiguration to enumeratewss://relay.willow.dev wss://localhost:* https://relay.willow.dev. Combined with the still-presentscript-src 'unsafe-eval'(line 32, tracked by #171/#425), the CSP provides no meaningful exfiltration containment if any script-execution gap exists.Fix: replace the
https:andwss:wildcards inconnect-srcwith the concrete relay origin set, or generate the directive at build time fromrelay-config. At minimum, drophttps:(only/bootstrap-idof the relay is fetched, which is reachable viawss:itself or a same-origin proxy).Filed by
/general-audit@88498a5(2026-05-04). master: #600.