From 7ece0df0ac44cce2a7fc7e3f7c3c89fb130f924a Mon Sep 17 00:00:00 2001 From: Jake Date: Wed, 22 Apr 2026 09:11:53 +0100 Subject: [PATCH] fix(cr-2026-04-22): CSP guard matches connect-src as exact directive name MINOR from the 2026-04-22 review (build.rs:47-64): the guard used strip_prefix("connect-src") to find the directive, which would also match hypothetical future directives like connect-src-elem and validate the wrong allow-list. Switches to split_once(char::is_whitespace) on each directive and requires the first token to equal "connect-src" exactly. Robust against prefix collisions with any future CSP3 directive additions. --- src-tauri/build.rs | 15 +++++++++++---- 1 file changed, 11 insertions(+), 4 deletions(-) diff --git a/src-tauri/build.rs b/src-tauri/build.rs index e211b8f..5b7c7ea 100644 --- a/src-tauri/build.rs +++ b/src-tauri/build.rs @@ -42,13 +42,20 @@ fn assert_localhost_llm_csp() { .expect("build.rs: tauri.conf.json missing app.security.csp string"); // Split the CSP into directives (`default-src 'self'; script-src ...`) - // and find connect-src. Everything after the directive name up to the - // next `;` is the allow-list. + // and find the one whose directive NAME is exactly "connect-src". + // A prefix match would also accept hypothetical future directives + // like "connect-src-elem" (2026-04-22 review MINOR). let connect_src = csp .split(';') .map(str::trim) - .find_map(|directive| directive.strip_prefix("connect-src")) - .map(str::trim) + .find_map(|directive| { + let (name, rest) = directive.split_once(char::is_whitespace)?; + if name == "connect-src" { + Some(rest.trim()) + } else { + None + } + }) .expect( "build.rs: tauri.conf.json CSP missing connect-src directive — \ local LLM fetches will be blocked (brief item #2)",