Skip to content

security: tighten CSP (`connect-src`)

Besides WebRTC, currently we only connect to the broker and the server, so only allowing the extension to connect to those servers should improve security. Later, if/when we allow to connect to any address (e.g. snowflake#40166), we may keep the CSP to only allow ws:/wss: connections, and https://broker....

I need to remind that currently the connect-src directive doesn't affect WebRTC. See 1, 2.

Also need to keep configurability in mind, i.e. if users want to switch to a custom broker/relay.