fix: add CSP security headers#111
Conversation
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request updates the Content Security Policy (CSP) in tauri.conf.json to define specific source restrictions. Feedback was provided regarding the script-src directive, noting that the use of 'unsafe-inline' and 'unsafe-eval' introduces security risks and should be removed if not strictly necessary.
|
|
||
| "security": { | ||
| "csp": null | ||
| "csp": "default-src 'self'; img-src 'self' asset: https://asset.localhost; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; connect-src 'self' https://api.github.com;" |
There was a problem hiding this comment.
The script-src directive includes 'unsafe-inline' and 'unsafe-eval', which significantly weaken the Content Security Policy. These allow the execution of inline scripts and dynamic code evaluation (like eval()), making the application vulnerable to XSS attacks. Since the goal of this PR is to improve security and isolate the application, it is highly recommended to remove these unless they are strictly required by your frontend framework for production builds.
| "csp": "default-src 'self'; img-src 'self' asset: https://asset.localhost; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; connect-src 'self' https://api.github.com;" | |
| "csp": "default-src 'self'; img-src 'self' asset: https://asset.localhost; style-src 'self' 'unsafe-inline'; script-src 'self'; connect-src 'self' https://api.github.com;" |
2 participants
This PR adds Content-Security-Policy (CSP) headers to the Tauri configuration to prevent XSS attacks and securely isolate the application. Fixes #107