security(tauri): enable Content Security Policy #851
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Removes dangerousDisableAssetCspModification and adds strict CSP: - default-src 'self': only load from same origin - script-src 'self': prevent XSS via external scripts - style-src 'self' 'unsafe-inline': allow inline styles for MUI Addresses: SECURITY_AUDIT.md finding C4
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
| ], | ||
| "security": { | ||
| "dangerousDisableAssetCspModification": true | ||
| "csp": "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; connect-src 'self' https://api.eigenwallet.org https://api.coingecko.com" |
There was a problem hiding this comment.
CSP missing Kraken API breaks rate fetching
The Content Security Policy's connect-src directive whitelists api.eigenwallet.org and api.coingecko.com, but the application also fetches from https://api.kraken.com/0/public/Ticker?pair=XMRXBT in fetchXmrBtcRate() in api.ts. This Kraken API call will be blocked by the CSP, causing the XMR/BTC exchange rate feature to silently fail.
There was a problem hiding this comment.
@segflaunt can you open a PR to fix this?
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
Security Issue: The Tauri GUI was running without a Content Security Policy (CSP), leaving it vulnerable to XSS and other injection attacks.
Fix: Added a CSP configuration to
tauri.conf.json:CSP Policy Explanation
default-src 'self'- Only allow resources from the same origin by defaultscript-src 'self'- Only allow scripts from the application bundlestyle-src 'self' 'unsafe-inline'- Allow styles from the app and inline styles (required for MUI styled-components)Security Impact
Testing
Checklist
🤖 Generated with Claude Code
Note
Strengthens GUI security and completes domain migration.
src-tauri/tauri.conf.jsonwithdefault-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; connect-src 'self' https://api.eigenwallet.org https://api.coingecko.comsrc-gui/src/renderer/api.tsand maker list fetch indocs/components/SwapProviderTable.tsxtohttps://api.eigenwallet.orgUpdaterDialog.tsx,ContactInfoBox.tsx, andREADME.mdtoeigenwallet.organddocs.eigenwallet.orgrpc.tscommentWritten by Cursor Bugbot for commit 276dff4. This will update automatically on new commits. Configure here.