vessel 0.2.5 immediately downloads code from cloudflare cdnjs to execute on run
Closed this issue · 3 comments
This is a security vulnerability, as Cloudflare can then serve whatever JS it wants. The point of an offline app is to encapsulate the dependencies so that the user can control what code is being run. Downloading and running code from the network makes this no more secure than a browser app.
Line 6 in 11a5996
Initially I had issues getting the semantic-ui CSS builder to integrate into the electron application, so I included the CSS from CDN-JS with the SHA integrity check. I need to revisit this again, and if I can't get semantic-ui's built in generator to work, I'll just manually bundle the CSS within the application so the external request is no longer required.
I'll plan to have this in 0.2.6.
To follow up - I couldn't get the builder to function properly, so I've taken a prebuilt version of semantic-ui, modified it, and injected it directly into the app in ae4ad01. This removes the only external dependency request.
0.2.6 released with the code above, thanks again sneak!