Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Custom CSP configurable by the user #532

Open
Janrupf opened this issue Apr 3, 2024 · 1 comment
Open

Custom CSP configurable by the user #532

Janrupf opened this issue Apr 3, 2024 · 1 comment
Assignees
Labels
type:feat New feature or request

Comments

@Janrupf
Copy link

Janrupf commented Apr 3, 2024

Description

At the moment WebCord provides a reasonable set of builtin CSP to be enabled and disabled. However, when adding custom themes, one may want to allow further domains.

Suggestions

Add the option to write custom CSP rules in order to add more domains to the allowlist.

This should probably clearly warn the user that they reduce the security and should never paste in random stuff.

Alternatives

The theme could be patched as to not require online resources.

Additional Context

Clear Vision is a custom Discord theme which claims to be "auto updating" - in reality this means they @import the actual theme, and the CSS file you download is just a kind of configuration file. Additionally it also loads some icons from custom domains.

@Janrupf Janrupf added the type:feat New feature or request label Apr 3, 2024
@Janrupf
Copy link
Author

Janrupf commented Apr 3, 2024

After a bit of reading through WebCord's source code I noticed it actually handles @imports. So the theme actually broke because of url(...) referencing external images. Maybe these could be substituted in a similar way as imports by converting them to data uri's?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
type:feat New feature or request
Projects
None yet
Development

No branches or pull requests

2 participants