From 4c379e590f9ebccdb4037fc898ce171811c30a1d Mon Sep 17 00:00:00 2001
From: Vendicated <vendicated@riseup.net>
Date: Fri, 24 Jan 2025 04:03:35 +0100
Subject: [PATCH] add note about unsafe-inline + strict-dynamic

---
 src/main/csp.ts | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

diff --git a/src/main/csp.ts b/src/main/csp.ts
index 378f4b69a..c85ec7d96 100644
--- a/src/main/csp.ts
+++ b/src/main/csp.ts
@@ -88,12 +88,16 @@ const patchCsp = (headers: Record<string, string[]>) => {
             csp[directive].push(...values);
         };
 
-        for (const directive of ["style-src", "connect-src", "img-src", "font-src", "media-src", "worker-src"]) {
-            pushDirective(directive, "blob:", "data:", "vencord:", "'unsafe-inline'");
-        }
-
+        pushDirective("style-src", "'unsafe-inline'");
+        // we could make unsafe-inline safe by using strict-dynamic with a random nonce on our Vencord loader script https://content-security-policy.com/strict-dynamic/
+        // HOWEVER, at the time of writing (24 Jan 2025), Discord is INSANE and also uses unsafe-inline
+        // Once they stop using it, we also should
         pushDirective("script-src", "'unsafe-inline'", "'unsafe-eval'");
 
+        for (const directive of ["style-src", "connect-src", "img-src", "font-src", "media-src", "worker-src"]) {
+            pushDirective(directive, "blob:", "data:", "vencord:");
+        }
+
         for (const [host, directives] of Object.entries(CspPolicies)) {
             for (const directive of directives) {
                 pushDirective(directive, host);