hardening: add `treat-as-public-address` CSP

This is yet another measure to make sure that the extension can only connect to the allow-listed destinations. This is a follow-up to cbc437ea (tpo/anti-censorship/pluggable-transports/snowflake-webext!66), which addresses tpo/anti-censorship/pluggable-transports/snowflake-webext#80. See the spec: https://wicg.github.io/private-network-access/#csp > it is a mechanism by which non-public documents > may drop the privilege to contact other non-public documents > without a preflight. This directive is not really respected by browsers as of now, but hopefully it will be in the future. Browsers that do not support the directive should simply warn that "the directive is not recognized" and parse the rest of the CSP string as usual. It is fine to apply this directive, because in practice the extension acts pretty much in the same way as the "badge" (https://snowflake.torproject.org/embed) does, i.e. it works when served from a public address, and it doesn't need the private network access privilige.

hardening: add `treat-as-public-address` CSP
dce85291 · WofWca · b1cbab76 · dce85291 · dce85291
Commit dce85291 authored 1 week ago by WofWca
--- a/webext/manifest_base.json
+++ b/webext/manifest_base.json
@@ -22,7 +22,7 @@
    "default_title": "Snowflake",
    "default_popup": "embed.html"
  },
-  "content_security_policy": "default-src 'self'; connect-src wss://*.freehaven.net/ wss://*.torproject.net https://*.torproject.net:* https://*.freehaven.net:*",
+  "content_security_policy": "treat-as-public-address; default-src 'self'; connect-src wss://*.freehaven.net/ wss://*.torproject.net https://*.torproject.net:* https://*.freehaven.net:*",
  "permissions": [
    "storage"
  ]

--- a/webext/manifestv3_base.json
+++ b/webext/manifestv3_base.json
@@ -19,7 +19,7 @@
    "default_popup": "embed.html"
  },
  "content_security_policy": {
-    "extension_pages": "default-src 'self'; connect-src wss://*.freehaven.net/ wss://*.torproject.net https://*.torproject.net:* https://*.freehaven.net:*"
+    "extension_pages": "treat-as-public-address; default-src 'self'; connect-src wss://*.freehaven.net/ wss://*.torproject.net https://*.torproject.net:* https://*.freehaven.net:*"
  },
  "permissions": [
    "storage",