Skip to content

feat(security): report-only Content-Security-Policy for renderer#10169

Draft
jackkav wants to merge 1 commit into
developfrom
security/csp-report-only
Draft

feat(security): report-only Content-Security-Policy for renderer#10169
jackkav wants to merge 1 commit into
developfrom
security/csp-report-only

Conversation

@jackkav

@jackkav jackkav commented Jun 26, 2026

Copy link
Copy Markdown
Contributor

Summary

Implements item 7 of the Electron security checklist ("Define a Content-Security-Policy") for the main renderer.

The app currently ships no CSP. This adds one to the index.html document served by the custom https://insomnia-app.local protocol handler.

Report-only first (by design)

The renderer is a large surface (Monaco, web workers, analytics, OAuth, custom protocols), so an over-strict enforcing policy would break flows silently. This PR ships Content-Security-Policy-Report-Only, which:

  • blocks nothing — the app behaves exactly as today;
  • makes Chromium log each violation to the renderer console ([Report Only] Refused to ...).

A follow-up will tune the directives from observed reports and then flip the header to the enforcing Content-Security-Policy.

Where it's applied

  • Added in the protocol.handle(https) handler in api.protocol.ts, since the document is served via a custom protocol (so webRequest.onHeadersReceived does not fire for it).
  • Set on the top-level index.html only; subresources inherit the document policy. Static /assets responses are untouched.
  • Note: in dev the renderer is served by the Vite dev server (APP_RENDER_URL), not this handler, so the policy applies to packaged/production builds.

Policy (first draft — to be tuned from reports)

default-src 'self';
script-src 'self' 'wasm-unsafe-eval';
style-src 'self' 'unsafe-inline';
img-src 'self' data: blob: https:;
font-src 'self' data: https://fonts.gstatic.com;
connect-src 'self' https: wss: insomnia-event-source: insomnia-templating-worker-database:;
worker-src 'self' blob:;
child-src 'self' blob:;
frame-src 'self' data:;
object-src 'none';
base-uri 'self'

Test plan

  • vitest run packages/insomnia/src/main/content-security-policy.test.ts
  • eslint + tsc clean on changed files
  • Run a packaged/dev build, open DevTools console, exercise core flows (editor, send request, OAuth, response preview, analytics) and collect [Report Only] violations to inform the enforcing follow-up

Checklist context

2 of 2 follow-up PRs from a security-checklist audit of the main window (companion: the session permission handler PR). Item 12 (webview options) is handled by #9942.

@jackkav
feat(security): report-only Content-Security-Policy for renderer
ffb6b6b 
Electron security checklist item 7. Adds a Content-Security-Policy-Report-Only
header to the index.html document served by the custom https protocol handler.
Report-only mode does not block any flow; Chromium logs violations to the
renderer console so the policy can be tuned from real data before a follow-up
flips it to enforcing.

Policy lives in content-security-policy.ts and is pinned by a unit test.
@github-actions

github-actions Bot commented Jun 26, 2026

Copy link
Copy Markdown

✅ Circular References Report

Generated at: 2026-06-26T09:42:03.310Z
Status: ✅ NO CHANGE

Summary

Metric Base (develop) PR Change
Total Circular References 9 9 0 (0.00%)
Click to view all circular references in PR (9) 
insomnia-inso/src/db/models/types.ts -> insomnia-inso/src/db/types.ts
insomnia/src/main/prompt-bridge.ts -> insomnia/src/main/window-utils.ts -> insomnia/src/main/plugin-window.ts
insomnia/src/main/window-utils.ts -> insomnia/src/main/plugin-window.ts
insomnia/src/network/network.ts -> insomnia-scripting-environment/src/objects/index.ts -> insomnia-scripting-environment/src/objects/collection.ts -> insomnia-scripting-environment/src/objects/response.ts
insomnia/src/network/network.ts -> insomnia/src/common/render.ts
insomnia/src/ui/components/settings/import-export.tsx -> insomnia/src/ui/components/modals/export-requests-modal.tsx
insomnia/src/ui/components/tabs/tab-list.tsx -> insomnia/src/ui/components/tabs/tab.tsx
insomnia/src/ui/components/templating/tag-editor-arg-sub-form.tsx -> insomnia/src/ui/components/templating/external-vault/external-vault-form.tsx
insomnia/src/ui/components/viewers/response-viewer.tsx -> insomnia/src/ui/components/viewers/response-multipart-viewer.tsx
Click to view all circular references in base branch (9) 
insomnia-inso/src/db/models/types.ts -> insomnia-inso/src/db/types.ts
insomnia/src/main/prompt-bridge.ts -> insomnia/src/main/window-utils.ts -> insomnia/src/main/plugin-window.ts
insomnia/src/main/window-utils.ts -> insomnia/src/main/plugin-window.ts
insomnia/src/network/network.ts -> insomnia-scripting-environment/src/objects/index.ts -> insomnia-scripting-environment/src/objects/collection.ts -> insomnia-scripting-environment/src/objects/response.ts
insomnia/src/network/network.ts -> insomnia/src/common/render.ts
insomnia/src/ui/components/settings/import-export.tsx -> insomnia/src/ui/components/modals/export-requests-modal.tsx
insomnia/src/ui/components/tabs/tab-list.tsx -> insomnia/src/ui/components/tabs/tab.tsx
insomnia/src/ui/components/templating/tag-editor-arg-sub-form.tsx -> insomnia/src/ui/components/templating/external-vault/external-vault-form.tsx
insomnia/src/ui/components/viewers/response-viewer.tsx -> insomnia/src/ui/components/viewers/response-multipart-viewer.tsx

Analysis

No Change: This PR does not introduce or remove any circular references.

This report was generated automatically by comparing against the develop branch.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@jackkav