-
-
Notifications
You must be signed in to change notification settings - Fork 59
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add a possibility to manage own nodes on Nodes screen #541
base: dev
Are you sure you want to change the base?
Conversation
The latest updates on your projects. Learn more about Vercel for Git ↗︎
|
Deployed to https://msg-adamant-pr-541.surge.sh 🚀 |
One possible solution could be by generating CSP dynamically based on a user cookie. The cookie will contain an array of custom nodes. Scenario:
|
It seems complicated for me and looks not secure. Also, currently the app doesn't use cookies. What do you think, @martiliones? |
If the list of nodes is controlled by a user and affects only their own client, should we block fetch requests in the first place? There is no safe way to manage CSP because the client (user) defines which nodes are considered safe, not the server. The only way to make request to URL that's not in the list is by executing 3rd party script, in which case the script could also edit CSP options. |
Yes.
What do you mean?
That's why I don't like it. |
I think we can disable CSP for fetch requests but keep it enabled for content like images/scripts/iframe etc. As an alternative, we can make "Allow unknown nodes" option. |
Is it possible to "disable CSP for fetch requests"? Provide some details. What is "Allow unknown nodes" option? As I understand, CSP is generally static and set on the web server. We set it for msg.adamant.im. |
Is it safe?
Is it possible to allow CSP in runtime? @bludnic @RealGoodProgrammer |
Unless we make requests to untrusted URLs ourselves, it should be safe
I meant we can check it in JavaScript What I think we really need to care about is this line where we are allowing to inject scripts and run code using
@bludnic can we remove |
@martiliones I guess not, we cant remove that rules. 'unsafe-eval' is required by |
I will try to make it work at least for Electron. Managing custom nodes in the web version is problematic due to the CSP (Content Security Policy).
The CSP rules are returned in the server response. It will block any request from the client that doesn't match
*.adamant.im
. So the user custom nodes will not work by default.Checklist
NodesTable