Security - Add Content Security Policy #2288
Conversation
|
Ideally, will we want this in the next release? |
|
Ideally! But unfortunately it's cutting it a bit close (and it's easy for this to regress some corner cases, especially around configuration), so I may not have time to complete it by Wednesday. It's not a 'new' issue per-se, it's been around for a while - Electron is just better about giving us a heads up, so I don't think it necessarily needs to block this release. But we definitely should fix it! |
Codecov Report
@@ Coverage Diff @@
## master #2288 +/- ##
=========================================
- Coverage 37.33% 37.3% -0.04%
=========================================
Files 298 298
Lines 12355 12369 +14
Branches 1634 1635 +1
=========================================
+ Hits 4613 4614 +1
- Misses 7493 7506 +13
Partials 249 249
Continue to review full report at Codecov.
|
Thanks @CrossR for catching this! There's a CSP error that the latest verison of Electron highlights. We should be setting a content security policy for Electron, to help reduce the risk of malicious script execution.
This change adds a CSP for
index.html, and provides an alternate entry point for the webpack-dev-server build (npm run start), since that needseval.There's still one problem that needs to be fixed:
With the new CSP, we can't load configuration files - they get blocked. We should move to the same strategy we use to load plugins - creating a new vmcontext to run them, so that they are isolated.