improvement: tighten CSP a little #20
Conversation
|
why is this needed at all? what advantage it brings? I can only see potential problems for no gains 🤔 |
|
The advantage is that it's harder to abuse a compromised app.
If you encounter a problem, then the CSP can be changed as needed. |
but what compromised app? the app will come from us I don't think it makes sense at this point to be worrying about such details and focus in getting the important things that we need working before adding more complexity |
|
Content security policy is not only for running knowingly untrusted content. You should have it on your website too.
We have a billion of dependencies, the compressed JavaScript itself is 1600 lines formatted with Prettier. I'm not saying that this is a top-priority thing, but I don't see how adding this line can be a maintenance burden. |
|
just thinking about this, what the CSP protects is against loading urls of scripts, right? anyways if we get a malicious dependency injecting code, they can as well just use WebRTC to leak the data instead of REST API and this wouldn't protect against it, did I got that right? |
|
Yes, it's possible to exfiltrate and infiltrate data using. This is not the only thing that CSP is made to protects against. A proper CSP should also not allow inline scripts, see #21. But we do not to consider all possible attacks in order to think about whether we need a CSP. Just make a CSP as tight as possible, and be done with it. |
|
OK, let's delegate the responsibility for setting the CSP to host app developers. We probably cannot have "one CSP to rule them all". For example, in desktop, to add a ringtone, we add it in the preload script, which requires us to add |
TODO: