New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Re-enable CSP via whitelist #1662
base: main
Are you sure you want to change the base?
Conversation
A PR for improving security! That's great! I think we should all strive to improve security as much as possible. I would like to add some things that warrants serious consideration: These CSP rules would not stop a malicious actor, but would only limit the freedom that BetterDiscord gives. Thereby increasing the barrier of entry for future development that may need to rely on resources on a domain that is not included in this whitelist. Feel free to hit me up if you want to discuss possible alternatives, but I think that's a different topic for a different time :) |
const whitelist = { | ||
// Discord includes unsafe-inline already | ||
script: [ | ||
"https://*.github.io", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think *.github.io
can be removed. If some plugin still relies on it, it shall break.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Agreed
// Discord includes unsafe-inline already | ||
script: [ | ||
"https://*.github.io", | ||
"https://cdnjs.cloudflare.com" // Used for Monaco |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What do you think of hosting Monaco on betterdiscord.app instead?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Open to tossing around the idea, but with our site issues over the last several months I'm hesitant.
if (!this.hasUpdate || !showNotice) return; | ||
try { | ||
const buffer = await new Promise((resolve, reject) => { | ||
request({ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
sure about using request
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
No this will definitely be updated
This will re-enable the Discord CSP but whitelist all currently known used remote resources. This would finally fix #442
I personally think that we should strongly encourage themes to move off of some of these more sketchy and less reputable domains and onto others, then remove them from this list before approving.