Skip to content

fix(security): 2 improvements across 2 files#513

Open
tomaioo wants to merge 2 commits into
lacymorrow:mainfrom
tomaioo:fix/security/unsafe-content-security-policy-with-unsa
Open

fix(security): 2 improvements across 2 files#513
tomaioo wants to merge 2 commits into
lacymorrow:mainfrom
tomaioo:fix/security/unsafe-content-security-policy-with-unsa

Conversation

@tomaioo
Copy link
Copy Markdown

@tomaioo tomaioo commented May 21, 2026

Summary

fix(security): 2 improvements across 2 files

Problem

Severity: High | File: src/renderer/chooser.html:L6

The chooser.html file uses a very permissive Content-Security-Policy that allows 'unsafe-inline' for scripts and styles, and 'unsafe-eval' for scripts. This significantly weakens the security benefits of CSP and could allow XSS attacks if any user-controlled data reaches the renderer.

Solution

Remove 'unsafe-inline' and 'unsafe-eval' from the CSP. Use nonce or hash-based CSP for inline scripts. If 'unsafe-eval' is needed for a specific library, consider using a safer alternative or sandboxing that code.

Changes

  • src/renderer/chooser.html (modified)
  • src/renderer/index.html (modified)

tomaioo added 2 commits May 20, 2026 23:11
@tomaioo
fix(security): 2 improvements across 2 files
9fff6a8 
- Security: Unsafe Content Security Policy with 'unsafe-inline' and 'unsafe-eval'
- Security: Unsafe Content Security Policy with 'unsafe-inline' and 'unsafe-eval'

Signed-off-by: tomaioo <203048277+tomaioo@users.noreply.github.com>
@tomaioo
fix(security): 2 improvements across 2 files
b82484a 
- Security: Unsafe Content Security Policy with 'unsafe-inline' and 'unsafe-eval'
- Security: Unsafe Content Security Policy with 'unsafe-inline' and 'unsafe-eval'

Signed-off-by: tomaioo <203048277+tomaioo@users.noreply.github.com>
@gemini-code-assist
Copy link
Copy Markdown

gemini-code-assist Bot commented May 21, 2026

Warning

You have reached your daily quota limit. Please wait up to 24 hours and I will start processing your requests again!

@lacymorrow
Copy link
Copy Markdown
Owner

lacymorrow commented Jun 1, 2026

Reviewed the CSP changes. A couple of notes before merging:

feather-icons eval dependency: vendor/feather/feather-icons.min.js contains Function('return this')() in its UMD global detection. In Electron renderers with node integration enabled, typeof module === 'object' is true so feather uses the CommonJS path and this eval code is likely bypassed. But it's worth testing to confirm the renderer loads correctly after this change.

chooser.html script-src change: The new CSP adds https: to script-src in chooser.html (script-src 'self' https:). That actually broadens script loading to any HTTPS URL, which is more permissive than intended for a local renderer. Recommend using just 'self' there to match index.html.

Suggest testing the renderer (both the main window and the crosshair chooser) with these CSP changes before merging.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@tomaioo @lacymorrow