blahai/haicord
1
0
Fork 0
Code Issues Pull requests Releases Activity

add note about unsafe-inline + strict-dynamic

Browse source
This commit is contained in:
Vendicated 2025-01-24 04:03:35 +01:00
parent f08ac7e506
commit 4c379e590f
No known key found for this signature in database
GPG key ID: D66986BAF75ECF18
1 changed files with 8 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

12
src/main/csp.ts
View file

@ -88,12 +88,16 @@ const patchCsp = (headers: Record<string, string[]>) => {
csp[directive].push(...values);
};
for (const directive of ["style-src", "connect-src", "img-src", "font-src", "media-src", "worker-src"]) {
pushDirective(directive, "blob:", "data:", "vencord:", "'unsafe-inline'");
}
pushDirective("style-src", "'unsafe-inline'");
// we could make unsafe-inline safe by using strict-dynamic with a random nonce on our Vencord loader script https://content-security-policy.com/strict-dynamic/
// HOWEVER, at the time of writing (24 Jan 2025), Discord is INSANE and also uses unsafe-inline
// Once they stop using it, we also should
pushDirective("script-src", "'unsafe-inline'", "'unsafe-eval'");
for (const directive of ["style-src", "connect-src", "img-src", "font-src", "media-src", "worker-src"]) {
pushDirective(directive, "blob:", "data:", "vencord:");
}
for (const [host, directives] of Object.entries(CspPolicies)) {
for (const directive of directives) {
pushDirective(directive, host);