feat: adds restrictive content security policies

bloomwalletio · May 16, 2024 · fc5e65a · fc5e65a
1 parent 356b1ee
commit fc5e65a
Show file tree

Hide file tree

Showing 3 changed files with 57 additions and 5 deletions.
diff --git a/packages/desktop/public/about.html b/packages/desktop/public/about.html
@@ -6,6 +6,28 @@
       name="viewport"
       content="width=device-width, initial-scale=1, user-scalable=no"
     />
+    <meta
+      http-equiv="Content-Security-Policy"
+      content="
+          default-src 'self';
+          connect-src 'self';
+          img-src 'self';
+          base-uri 'self';
+          form-action 'none';
+          frame-src 'none';
+          worker-src 'none';
+          script-src-elem 'self' 'unsafe-inline';
+          script-src-attr 'none';
+          style-src-elem 'self' 'unsafe-inline';
+          style-src-attr 'none';
+          object-src 'none';
+          media-src 'self';
+          font-src 'self';
+          manifest-src 'self';
+          navigate-to 'self';
+          upgrade-insecure-requests;
+      "
+    />
     <title></title>
     <style>
       @font-face {

diff --git a/packages/desktop/public/error.html b/packages/desktop/public/error.html
@@ -5,6 +5,27 @@
     <meta charset="utf-8"/>
     <meta name="viewport"
           content="width=device-width, initial-scale=1, user-scalable=no"/>
+    <meta
+        http-equiv="Content-Security-Policy"
+        content="
+            default-src 'self';
+            connect-src 'self';
+            img-src 'self';
+            base-uri 'self';
+            form-action 'none';
+            frame-src 'none';
+            worker-src 'none';
+            script-src 'self' 'unsafe-inline';
+            style-src-elem 'self' 'unsafe-inline';
+            style-src-attr 'none';
+            object-src 'none';
+            media-src 'self';
+            font-src 'self';
+            manifest-src 'self';
+            navigate-to 'self';
+            upgrade-insecure-requests;
+        "
+    />
     <title>Bloom Error</title>
     <style>
         @font-face {

diff --git a/packages/desktop/public/index.html b/packages/desktop/public/index.html
@@ -7,13 +7,22 @@
             http-equiv="Content-Security-Policy"
             content="
                 default-src 'self';
-                connect-src 'self' https://* wss://*;
-                frame-src 'self' https://*;
+                connect-src 'self' https://* wss://relay.walletconnect.com;
+                img-src 'self' https://tideprotocol.infura-ipfs.io;
+                base-uri 'self';
+                form-action 'self';
+                frame-src 'self' https://verify.walletconnect.org https://verify.walletconnect.com;
+                worker-src 'self';
+                script-src-elem 'self' 'unsafe-inline';
+                script-src-attr 'none';
+                style-src-elem 'self' 'unsafe-inline';
+                style-src-attr 'self' 'unsafe-inline';
                 object-src 'none';
-                img-src 'self' https: data:;
-                style-src 'self' 'unsafe-inline';
                 media-src 'self' data:;
-                script-src 'self';
+                font-src 'self';
+                manifest-src 'self';
+                navigate-to 'self';
+                upgrade-insecure-requests;
             "
         />