chore(webview): tighten CSP to account for postMessage() use

Signed-off-by: Konstantinos Maninakis <maninak@protonmail.com>
cytechmobile · Dec 13, 2023 · 0952def · 0952def
1 parent b33937f
commit 0952def
Showing 1 changed file with 2 additions and 0 deletions.
diff --git a/src/helpers/webview.ts b/src/helpers/webview.ts
@@ -70,6 +70,8 @@ export function createOrShowWebview(ctx: ExtensionContext, title = 'Patch DEADBE
           style-src ${allowedSource} 'unsafe-inline';
           img-src ${allowedSource} https: data:;
           script-src 'strict-dynamic' 'nonce-${nonce}' 'unsafe-inline' https:;
+          Cross-Origin-Opener-Policy: same-origin;
+          Cross-Origin-Embedder-Policy: require-corp;
         "
       >
       <meta name="viewport" content="width=device-width, initial-scale=1.0">