fix(cr-2026-04-22): CSP guard matches connect-src as exact directive name

MINOR from the 2026-04-22 review (build.rs:47-64): the guard used
strip_prefix("connect-src") to find the directive, which would also
match hypothetical future directives like connect-src-elem and
validate the wrong allow-list.

Switches to split_once(char::is_whitespace) on each directive and
requires the first token to equal "connect-src" exactly. Robust
against prefix collisions with any future CSP3 directive
additions.
This commit is contained in:
2026-04-22 09:11:53 +01:00
parent 53d303f4b7
commit 7ece0df0ac

View File

@@ -42,13 +42,20 @@ fn assert_localhost_llm_csp() {
.expect("build.rs: tauri.conf.json missing app.security.csp string");
// Split the CSP into directives (`default-src 'self'; script-src ...`)
// and find connect-src. Everything after the directive name up to the
// next `;` is the allow-list.
// and find the one whose directive NAME is exactly "connect-src".
// A prefix match would also accept hypothetical future directives
// like "connect-src-elem" (2026-04-22 review MINOR).
let connect_src = csp
.split(';')
.map(str::trim)
.find_map(|directive| directive.strip_prefix("connect-src"))
.map(str::trim)
.find_map(|directive| {
let (name, rest) = directive.split_once(char::is_whitespace)?;
if name == "connect-src" {
Some(rest.trim())
} else {
None
}
})
.expect(
"build.rs: tauri.conf.json CSP missing connect-src directive — \
local LLM fetches will be blocked (brief item #2)",