Default WebCord Settings

[LiberteIV]

First, many thanks for the detailed reply to my question about ublockorigin vs webcord, very interesting to read!

I have three more questions, i had webcord installed with electron version 21.2.2 and application version 3.9.3
Then on github i saw there is a newer version available, i did not find any update option in webcord, if i am not blind have you considered adding one? Anyways, i manually deleted all the contents from the extracted webcord version and then extracted the latest webcord with electron version 22.0.0 and application version 4.0.0
What i noticed is that i was still logged into my discord account, even when as i said i deleted all files from v3.9.3
This made me woonder why i was still logged in, so i asume webcord stores the login credentials and maybe even other information in another directory? Edit: C:\Users\User\AppData\Roaming\WebCord - is that it? Any more directorys that webcord uses?

To my final question, after installing webcord for the first time i noticed that under > settings > permissions > access to record the desktop screen and one more feature where enabled, would it be possible to disable that by default so if we really want to we can enable it manually?

Same goes for > settings > content security policy / third party websites (by default all of them where enabled...)
Description: "sets a list of third party websites allowed to connect or display content"
What makes me nervous here is the word "connect".
Some of the listed "third party websites" are absolutly not trustworthy, infact they are erasing privacy everywhere.
Google
Reddit
Spotify
Soundcloud
Twitch
Twitter
Youtube
If the checkmark is activated to allow these "websites" to connect to my discord account, might they spy on me and collect my personal information such as chat history, voice-id, screen-size, ip adress, email adress, creation date of discord account, joined servers, etc...?
All in all reading "content security" and "Google" next to each other only triggers one word in my head - censorship.
I would preffer all of those "third party sites" to be disabled by default, or am i wrong and there is no risk in allowing them to "connect"?

[SpacingBat3]

Then on github i saw there is a newer version available, i did not find any update option in webcord, if i am not blind have you considered adding one?

Someday it might reach it for Windows (there isn't even a mature installer yet!), for others I might be unable to do that (for Linux alternative would be to publish it to repo or host it on your own, macOS however seem to require signed binaries so RIP).

This made me woonder why i was still logged in, so i asume webcord stores the login credentials and maybe even other information in another directory? Edit: C:\Users\User\AppData\Roaming\WebCord - is that it? Any more directorys that webcord uses?

WebCord uses default directories for storing data, listed in Electron docs. I believe userData is the only dir, but I guess the one should keep an eye on docs if that would change.

To my final question, after installing webcord for the first time i noticed that under > settings > permissions > access to record the desktop screen and one more feature where enabled, would it be possible to disable that by default so if we really want to we can enable it manually?

It really shouldn't be – the dialog will prevent recording your screen without your consent anyway. It's just here so you can even silence dialogs. Most likely that will never be needed, but it's better to be safe than sorry.

If the checkmark is activated to allow these "websites" to connect to my discord account, might they spy on me and collect my personal information such as chat history, voice-id, screen-size, ip adress, email adress, creation date of discord account, joined servers, etc...?

Definitely not most of these, neither all of them. Actually those Discord ones most likely could be a thing, but given iframes shouldn't normally access all of the parent resources (including localStorage, which stores most of your data) and can be restricted to achieve even less than it does normally, you should be safe. And even if that weren't the case, Discord actually deletes localStorage from the global object as well as potentially other objects – this is most likely implemented to stop scammers from stealing some important data like token with DevTools. Stuff like IP is usually stored after the connection by most pages (even so-called privacy-friendly ones), so 🤷.

Same goes for > settings > content security policy / third party websites (by default all of them where enabled...)
Description: "sets a list of third party websites allowed to connect or display content"
What makes me nervous here is the word "connect".

I won't set it, for convenience of some newbie users. Blocking some of them actually may break your client and prevent you doing from some actions like even logging-in (i.e. you need to allow Discord connecting to hCaptcha for a captcha iframe to display). So there are good reasons why these were never be disabled by the default, but should be made available to the users just so privacy hardening is possible.

The "connect" word actually means that Discord is at least capable of fetching some static files from them. Technically, CSP itself defines an entire ruleset – I won't go into the details, it would take too long to explain it whole. In worst cases, there will be allowance for script and style tags point to outside URLs (usually that is required for stuff like players to show). CSP also might still block some stuff that is not really needed for simple functionality, probably including analytics / tracking.

Outside of all of this, cross-site cookie tracking is not effective as well – we're only showing single page in WebCord for most cases (unless you use different Discord instances – I don't think that's much of the change of the situation through)! There should also be no way to navigate to page outside of the pages WebCord trust, but even considering that would be possible or there are such cross-origin cookies that are shared to iframes, at worst someone would just associate you with using Discord, nothing more.

[LiberteIV]

Sounds like all in all, webcord has the best privacy-standard possible for people that rely on discord but don't agree with the tracking.
Thank you.

[SpacingBat3]

All in all reading "content security" and "Google" next to each other only triggers one word in my head - censorship.

Sometimes your perception of world makes me laugh 😂.

Also take a note WebCord does not allow third-parties by themselves, but rather services that Discord serves integrations to (I mean YouTube is technically owned by Google, yet it is a separate service from Google Storage API that Discord seems to use for uploading files for some time).

---

And for a longer lecture about which specific URLs matching given parts of the URL are allowed and for which type of the content, take a tour there:

WebCord/sources/code/main/modules/csp.ts

Lines 99 to 208 in d0cb8c4

	const builders: {base:CSPBuilder}&cspTP<CSPBuilder> = {
	base: new CSPBuilder({
	"default-src": "'self'",
	"script-src": "'self' 'unsafe-eval' 'unsafe-inline' "+
	"https://cdn.discordapp.com/animations/",
	"worker-src": "'self'",
	"font-src": "'self'",
	"style-src": "'self' 'unsafe-inline' https://cdn.discordapp.com",
	"img-src": "'self' blob: data: https://*.discordapp.net "+
	"https://*.discordapp.com https://*.discord.com",
	"connect-src": "'self' https://status.discordapp.com "+
	"https://status.discord.com https://discordapp.com https://discord.com "+
	"https://cdn.discordapp.com https://media.discordapp.net "+
	"https://router.discordapp.net wss://*.discord.gg "+
	"https://best.discord.media https://latency.discord.media "+
	"wss://*.discord.media",
	"media-src": "'self' blob: https://*.discordapp.net https://*.discord.com "+
	"https://*.discordapp.com",
	"frame-src": "https://discordapp.com/domain-migration "+
	"https://*.discordsays.com https://*.watchanimeattheoffice.com",
	}),
	algolia: new CSPBuilder({
	"connect-src": "https://*.algolianet.com https://*.algolia.net"
	}),
	audius: new CSPBuilder({ "frame-src": "https://audius.co/embed/" }),
	gif: new CSPBuilder ({
	"img-src": "https://i.imgur.com https://*.gfycat.com "+
	"https://media.tenor.co https://media.tenor.com "+
	"https://c.tenor.com https://*.giphy.com",
	"media-src": "https://i.imgur.com https://*.gfycat.com "+
	"https://media.tenor.co https://media.tenor.com "+
	"https://c.tenor.com https://*.giphy.com",
	}),
	googleStorageApi: new CSPBuilder({
	"connect-src": "https://discord-attachments-uploads-prd.storage.googleapis.com/"
	}),
	hcaptcha: new CSPBuilder({
	"script-src": "https://*.hcaptcha.com https://hcaptcha.com",
	"style-src": "https://*.hcaptcha.com https://hcaptcha.com",
	"img-src": "https://*.hcaptcha.com https://hcaptcha.com",
	"connect-src": "https://*.hcaptcha.com https://hcaptcha.com",
	"frame-src": "https://*.hcaptcha.com https://hcaptcha.com",
	}),
	paypal: new CSPBuilder({
	"script-src": "https://www.paypalobjects.com https://checkout.paypal.com",
	"img-src": "https://checkout.paypal.com",
	"frame-src": "https://checkout.paypal.com",
	"child-src": "'self' https://checkout.paypal.com"
	}),
	reddit: new CSPBuilder({
	"script-src": "https://www.redditstatic.com",
	"img-src": "https://www.redditstatic.com",
	"connect-src": "https://v.redd.it",
	"media-src": "https://v.redd.it",
	"frame-src": "https://www.redditmedia.com/mediaembed/"
	}),
	soundcloud: new CSPBuilder({ "frame-src": "https://w.soundcloud.com/player/" }),
	spotify: new CSPBuilder({
	"script-src": "https://open.spotifycdn.com/cdn/build/embed/ "+
	"https://open.spotifycdn.com/cdn/build/embed-legacy/",
	"img-src": "https://open.spotifycdn.com/cdn/images/ https://i.scdn.co/image/",
	"style-src": "https://open.spotifycdn.com/cdn/build/embed/ "+
	"https://open.spotifycdn.com/cdn/build/embed-legacy/",
	"connect-src": "wss://dealer.spotify.com https://api.spotify.com "+
	"https://open.spotifycdn.com/cdn/generated-locales/embed/",
	"frame-src": "https://open.spotify.com/embed/",
	"media-src": "https://p.scdn.co/mp3-preview/"
	}),
	streamable: new CSPBuilder({ "media-src": "https://streamable.com" }),
	twitch: new CSPBuilder({
	"script-src": "https://static.twitchcdn.net/assets/",
	"worker-src": "blob: https://player.twitch.tv",
	"style-src": "https://static.twitchcdn.net/assets/",
	"img-src": "https://static-cdn.jtvnw.net/jtv_user_pictures/",
	"connect-src": "https://api.twitch.tv/v5/channels/ "+
	"https://gql.twitch.tv/gql https://spade.twitch.tv/track "+
	"https://static.twitchcdn.net/assets/ "+
	"https://usher.ttvnw.net/api/channel/hls/ "+
	"https://*.hls.ttvnw.net/v1/playlist/ "+
	"https://*.hls.ttvnw.net/v1/segment/",
	"frame-src": "https://player.twitch.tv"
	}),
	twitter: new CSPBuilder({
	"script-src": "https://abs.twimg.com/web-video-player/",
	"img-src": "https://pbs.twimg.com/ext_tw_video_thumb/",
	"connect-src": "https://api.twitter.com/1.1/guest/activate.json "+
	"https://api.twitter.com/1.1/videos/tweet/config/ "+
	"https://video.twimg.com/ext_tw_video/",
	"media-src": "https://twitter.com/i/videos/tweet/",
	"frame-src": "https://twitter.com/i/videos/tweet/"
	}),
	vimeo: new CSPBuilder({
	"script-src": "https://f.vimeocdn.com/p/",
	"style-src": "https://f.vimeocdn.com/p/",
	"img-src": "https://i.vimeocdn.com",
	"connect-src": "https://fresnel.vimeocdn.com/add/ "+
	"https://24vod-adaptive.akamaized.net/",
	"media-src": "https://vod-progressive.akamaized.net",
	"frame-src": "https://player.vimeo.com"
	}),
	youtube: new CSPBuilder({
	"img-src": "https://i.ytimg.com https://*.youtube.com",
	"script-src": "https://www.youtube.com/iframe_api "+
	"https://www.youtube.com/s/player/",
	"connect-src": "https://*.googlevideo.com",
	"media-src": "https://*.youtube.com",
	"frame-src": "https://www.youtube.com/embed/"
	})
	};