aegarbutt·8년 전·discussOr I just expose my malicious share to the Internet. No mounting step necessary.file://<Evil-IP>/evil.js
aegarbutt·8년 전·discussThe CSP policy was 'self'. The problem is that all file:// URIs share an origin in Electron.So, 'self' is ALL file:// URIs.
aegarbutt·8년 전·discussIf I remember correctly, on Windows you can reference file://<IP-Address>/path/to/fileThanks SMB / UNC Paths.
aegarbutt·8년 전·discussIn Electron, all file:/// URIs share an origin. Using `script-src: 'self'` isn't much of a boundary.
aegarbutt·10년 전·discussThey really missed an opportunity to have their URL be https://evaluate-csp.withgoogle.comRolls off the tongue better than https://csp-evaluator.withgoogle.com.
file://<Evil-IP>/evil.js