Security: Webview signing oracle + CSP disabled (Tauri core) #76
Labels
No labels
area:api
area:core
area:docs
area:infra
area:ux
dependencies
documentation
duplicate
good first issue
help wanted
invalid
question
rust
status:complete
status:partial
status:planned
type:bug
type:design
type:feature
type:infra
type:refactor
type:refactor
type:research
type:ux
wontfix
No milestone
No project
No assignees
1 participant
Notifications
Due date
No due date set.
Dependencies
No dependencies set.
Reference
icub3d/decentcom#76
Loading…
Add table
Add a link
Reference in a new issue
No description provided.
Delete branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Severity: Critical — found in code review 2026-07-07 (Tauri core).
Problem
Two issues compound in the desktop client's key handling:
client/src-tauri/tauri.conf.json:24sets"csp": null. Any XSS/injected script in the webview runs with full access to every exposed IPC command.sign(data)(client/src-tauri/src/identity.rs:283) signs any JS-supplied string with the active private key, with no domain separation and no user confirmation. A compromised webview can forge auth challenges, messages, or any protocol artifact attributable to the user.key_export(identity.rs:370) writes the encrypted seed to a JS-chosen path under a JS-chosen passphrase that is never strength-checked (validate_passphraseis not called; it also marks weak/empty passphrasesacceptable).Keys never leave the Rust process, but the signing oracle + export path are just as damaging for impersonation/exfiltration. CSP-off is the amplifier.
Fix
default-src 'self'; script-src 'self'; connect-src 'self' <server>; img-src 'self' data:).decentcom-auth:vsdecentcom-msg:) chosen by the command, not the caller; require native confirmation for high-value signs.validate_passphrase(...).acceptableinsideinner_key_export; raise the floor above "Weak"; source the destination path from a native save dialog rather than a raw JS path.