Re-enable CSP via whitelist #1662
Conversation
|
A PR for improving security! That's great! I think we should all strive to improve security as much as possible. I would like to add some things that warrants serious consideration: These CSP rules would not stop a malicious actor, but would only limit the freedom that BetterDiscord gives. Thereby increasing the barrier of entry for future development that may need to rely on resources on a domain that is not included in this whitelist. Feel free to hit me up if you want to discuss possible alternatives, but I think that's a different topic for a different time :) |
| const whitelist = { | ||
| // Discord includes unsafe-inline already | ||
| script: [ | ||
| "https://*.github.io", |
There was a problem hiding this comment.
I think *.github.io can be removed. If some plugin still relies on it, it shall break.
| // Discord includes unsafe-inline already | ||
| script: [ | ||
| "https://*.github.io", | ||
| "https://cdnjs.cloudflare.com" // Used for Monaco |
There was a problem hiding this comment.
What do you think of hosting Monaco on betterdiscord.app instead?
There was a problem hiding this comment.
Open to tossing around the idea, but with our site issues over the last several months I'm hesitant.
| if (!this.hasUpdate || !showNotice) return; | ||
| try { | ||
| const buffer = await new Promise((resolve, reject) => { | ||
| request({ |
There was a problem hiding this comment.
No this will definitely be updated
This will re-enable the Discord CSP but whitelist all currently known used remote resources. This would finally fix #442
I personally think that we should strongly encourage themes to move off of some of these more sketchy and less reputable domains and onto others, then remove them from this list before approving.