kccleoc/seedpgp-web
0
0
Fork 0
mirror of https://github.com/kccleoc/seedpgp-web.git synced 2026-03-07 01:47:52 +08:00
Code Issues Packages Projects Releases Wiki Activity

fix: Strengthen CSP and improve network button UX

Browse Source 
- Fix CSP: Change connect-src from 'self' to 'none' (strict enforced blocking)
- Improve UX: Rename button from 'Blocked/Active' to 'Internet OFF/ON' (layman terms)
- Add clear tooltips explaining security implications:
  - Internet OFF: "Network disabled - Maximum security (no data can leave device)"
  - Internet ON: "Network enabled - Normal operation (browser CSP blocks connections)"
- Update comment to describe functionality: "Click to disable/enable internet access for maximum security"

This implements Option B from security audit: strict CSP enforcement with user-friendly interface explanations.
This commit is contained in:
LC mac
2026-02-12 23:16:26 +08:00
parent 7cec260ad1
commit 005fb292b4
2 changed files with 6 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
_headers
View File

@@ -6,4 +6,4 @@
X-XSS-Protection: 1; mode=block
# Content Security Policy
Content-Security-Policy: default-src 'none'; script-src 'self' 'wasm-unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; connect-src 'self'; form-action 'none'; frame-ancestors 'none'; base-uri 'self'; upgrade-insecure-requests; block-all-mixed-content; worker-src 'self' blob:; script-src-elem 'self' 'unsafe-inline';
Content-Security-Policy: default-src 'none'; script-src 'self' 'wasm-unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; connect-src 'none'; form-action 'none'; frame-ancestors 'none'; base-uri 'self'; upgrade-insecure-requests; block-all-mixed-content; worker-src 'self' blob:; script-src-elem 'self' 'unsafe-inline';