fix(cr-2026-04-22): CSP guard matches connect-src as exact directive name
MINOR from the 2026-04-22 review (build.rs:47-64): the guard used
strip_prefix("connect-src") to find the directive, which would also
match hypothetical future directives like connect-src-elem and
validate the wrong allow-list.
Switches to split_once(char::is_whitespace) on each directive and
requires the first token to equal "connect-src" exactly. Robust
against prefix collisions with any future CSP3 directive
additions.
This commit is contained in:
@@ -42,13 +42,20 @@ fn assert_localhost_llm_csp() {
|
||||
.expect("build.rs: tauri.conf.json missing app.security.csp string");
|
||||
|
||||
// Split the CSP into directives (`default-src 'self'; script-src ...`)
|
||||
// and find connect-src. Everything after the directive name up to the
|
||||
// next `;` is the allow-list.
|
||||
// and find the one whose directive NAME is exactly "connect-src".
|
||||
// A prefix match would also accept hypothetical future directives
|
||||
// like "connect-src-elem" (2026-04-22 review MINOR).
|
||||
let connect_src = csp
|
||||
.split(';')
|
||||
.map(str::trim)
|
||||
.find_map(|directive| directive.strip_prefix("connect-src"))
|
||||
.map(str::trim)
|
||||
.find_map(|directive| {
|
||||
let (name, rest) = directive.split_once(char::is_whitespace)?;
|
||||
if name == "connect-src" {
|
||||
Some(rest.trim())
|
||||
} else {
|
||||
None
|
||||
}
|
||||
})
|
||||
.expect(
|
||||
"build.rs: tauri.conf.json CSP missing connect-src directive — \
|
||||
local LLM fetches will be blocked (brief item #2)",
|
||||
|
||||
Reference in New Issue
Block a user