fix: enable CSP and remove token from URL query strings#12
Open
whitelonng wants to merge 4 commits into
Open
Conversation
95ac801 to
72d06f2
Compare
Security issues fixed: 1. CSP completely disabled (csp: null) - Any XSS would be amplified 2. Mobile token transmitted via URL query (?token=...) - Leaks into server logs, browser history, and proxy caches Changes: - Enable strict CSP in tauri.conf.json with safe defaults - Remove URL query token extraction from runtime.ts getMobileToken() - Add setMobileToken() helper for explicit token storage - Replace EventSource with fetch+ReadableStream in listenStream() to support X-Mobile-Token header (EventSource doesn't support custom headers) - Add token field to MobileServiceStatus for secure display - Update Settings.tsx to show URL and token separately with manual setup guide - Auto-save token to localStorage when service status is fetched Security improvements: - Token no longer appears in URLs (no server logs/history leaks) - All token transmission now uses X-Mobile-Token header - CSP prevents inline script injection and restricts resource loading - Mobile clients must manually save token via localStorage (more secure flow) Test results: - ✅ 186 Rust unit tests pass - ✅ TypeScript type check passes
The new implementation removes token from URL query parameters for security: - getMobileToken() now only reads from localStorage (no URL extraction) - listenStream() uses fetch with X-Mobile-Token header instead of URL param - Updated tests to verify token is NOT in URL and IS in headers
For security, token is now transmitted via X-Mobile-Token header instead of URL query parameter in mobile SSE streaming.
808936f to
9ca7019
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Fixes two critical security issues:
csp: null) - Any XSS vulnerability would be amplified without content security policy?token=...) - Leaks into server logs, browser history, and proxy cachesChanges
Backend (Rust)
tokenfield toMobileServiceStatusfor secure token deliveryFrontend (TypeScript)
tauri.conf.jsondefault-src 'self'script-src 'self' 'unsafe-inline'connect-srcallows localhost for mobile serverframe-src 'none'prevents clickjackinggetMobileToken()EventSourcewithfetch + ReadableStreamto supportX-Mobile-Tokenheader (EventSource doesn't support custom headers)Security improvements
X-Mobile-TokenheaderTest Plan
Breaking Changes
Mobile users will need to manually set up the token on first access (shown in Settings UI with copy-paste instructions). This is more secure than automatic URL-based token extraction.
Related
Complements PR #10 (token authentication) by securing the token transmission mechanism.