File: crates/web/index.html:32
Severity: security
Obvious? no
The CSP meta tag declares no reporting endpoint (report-uri / report-to) and no require-trusted-types-for 'script'. Consequences: (a) a future XSS or CSP-bypass attempt fails silently — there is no telemetry for security incidents, so an attacker can iterate freely; (b) Trusted Types would mechanically prevent every DOM-injection sink (Element.innerHTML, Document.write, eval, setTimeout(string)) at the platform level. Today the codebase relies on Leptos' attribute escaping and on a hand-audited absence of set_inner_html, but a future PR adding set_inner_html for, e.g., Markdown rendering, has no defence-in-depth backstop. The explicit js_sys::eval(...) calls in crates/web/src/main.rs:17, crates/web/src/app.rs:23,63,1128,1132,1147 and crates/web/src/components/mobile_shell.rs:420 mean Trusted Types would currently break the app — but several of these eval calls have NO user-controlled inputs (static literals) and could trivially be replaced with direct web_sys bindings. Also missing: upgrade-insecure-requests (would automatically rewrite the http:// autolinks tracked at #597 to https://, mitigating the mixed-content path even if the autolink regex regresses).
Fix: add report-uri /csp-report (or report-to) + upgrade-insecure-requests, and file an issue to deploy require-trusted-types-for 'script' jointly with the unsafe-eval removal in #171/#425. Update REQUIRED_CSP_DIRECTIVES in crates/web/tests/static_assets.rs:122 to assert the new directives.
Filed by /general-audit @ 88498a5 (2026-05-04). master: #600.
File:
crates/web/index.html:32Severity: security
Obvious? no
The CSP meta tag declares no reporting endpoint (
report-uri/report-to) and norequire-trusted-types-for 'script'. Consequences: (a) a future XSS or CSP-bypass attempt fails silently — there is no telemetry for security incidents, so an attacker can iterate freely; (b) Trusted Types would mechanically prevent every DOM-injection sink (Element.innerHTML,Document.write,eval,setTimeout(string)) at the platform level. Today the codebase relies on Leptos' attribute escaping and on a hand-audited absence ofset_inner_html, but a future PR addingset_inner_htmlfor, e.g., Markdown rendering, has no defence-in-depth backstop. The explicitjs_sys::eval(...)calls incrates/web/src/main.rs:17,crates/web/src/app.rs:23,63,1128,1132,1147andcrates/web/src/components/mobile_shell.rs:420mean Trusted Types would currently break the app — but several of these eval calls have NO user-controlled inputs (static literals) and could trivially be replaced with directweb_sysbindings. Also missing:upgrade-insecure-requests(would automatically rewrite thehttp://autolinks tracked at #597 tohttps://, mitigating the mixed-content path even if the autolink regex regresses).Fix: add
report-uri /csp-report(orreport-to) +upgrade-insecure-requests, and file an issue to deployrequire-trusted-types-for 'script'jointly with theunsafe-evalremoval in #171/#425. UpdateREQUIRED_CSP_DIRECTIVESincrates/web/tests/static_assets.rs:122to assert the new directives.Filed by
/general-audit@88498a5(2026-05-04). master: #600.