Skip to content

#6229 Fix improper output rendering #6230

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
martgil wants to merge 23 commits into
base: master
Choose a base branch
from
Open

#6229 Fix improper output rendering #6230

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
23 commits
Select commit Hold shift + click to select a range
99f19d5
fix: sanitize user-provided content with Xss.escape to prevent potent…
May 22, 2026
17c01ac
chore: add default-src to extension_pages content security policy
May 22, 2026
9afde36
chore: update manifest.json
May 22, 2026
49e58de
refactor: use build-specific csp
May 22, 2026
a767053
refactor: move the connect-src patching to makeMockBuild
May 22, 2026
b312de6
test: fix failing test
May 22, 2026
44de259
test: add style-src unsafe inline csp directive
May 25, 2026
31b219b
test: add another host to connect-src csp
May 25, 2026
f019953
test: fix missing port on whitelisted domain
May 25, 2026
74c7181
test: update img-src
May 25, 2026
5fd2d1a
feat: add flowcrypt s3 to connect-src
May 25, 2026
95b06e2
feat: add google.com to connect-src
May 26, 2026
21d7ab3
test: add google.com to test csp
May 26, 2026
5a9b720
Merge remote-tracking branch 'origin/master' into issue-6229-fix-impr…
May 26, 2026
c1789d1
test: add new host to connect-src
May 26, 2026
b42bf66
test: add even more hosts
May 26, 2026
81f3ea1
test: add www.google.com to connect-src
May 26, 2026
5080e27
chore: de-duplicate hosts
May 26, 2026
fb64204
test: add whitelisted ports
May 26, 2026
71a094f
chore: prod-ready manifest.json
May 26, 2026
f9c3116
chore: de-dupe hosts
May 26, 2026
7bb90fa
Merge branch 'master' into issue-6229-fix-improper-output-rendering
martgil May 29, 2026
e82bb73
chore: re-add google.com host
May 29, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion extension/chrome/elements/pgp_pubkey.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -190,7 +190,7 @@ View.run(

private showKeyNotUsableError = async () => {
$('.error_container').removeClass('hidden');
$('.error_introduce_label').html(`This OpenPGP key is not usable.<br/><small>(${await this.getErrorText()})</small>`); // xss-escaped
$('.error_introduce_label').html(`This OpenPGP key is not usable.<br/><small>(${Xss.escape(await this.getErrorText())})</small>`); // xss-escaped
$('.hide_if_error').hide();
$('.fingerprints, .add_contact, #manual_import_warning').remove();
const email = this.firstParsedPublicKey ? KeyUtil.getPrimaryEmail(this.firstParsedPublicKey) : undefined;
Expand Down
7 changes: 5 additions & 2 deletions extension/chrome/settings/modules/contacts.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -175,13 +175,16 @@ View.run(
}
const key = await KeyUtil.parse(armoredPubkey);
$('.hide_when_rendering_subpage').css('display', 'none');
Xss.sanitizeRender('h1', `${this.backBtn}${this.space}${email}&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;`);
Xss.sanitizeRender('h1', `${this.backBtn}${this.space}${Xss.escape(email)}&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;`); // xss-escaped
$('#view_contact .key_dump').text(armoredPubkey);
$('#view_contact #container-pubkey-details').text(
[
`Type: ${key.family}`,
`Fingerprint: ${Str.spaced(key.id || 'none')}`,
`Users: ${key.users?.map(u => u.email).filter(Boolean).join(', ')}`,
`Users: ${key.users
?.map(u => u.email)
.filter(Boolean)
.join(', ')}`,
`Created on: ${key.created ? new Date(key.created) : ''}`,
`Expiration: ${key.expiration ? new Date(key.expiration) : 'Does not expire'}`,
`Last signature: ${key.lastModified ? new Date(key.lastModified) : ''}`,
Expand Down
4 changes: 2 additions & 2 deletions extension/js/common/ui/passphrase-ui.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -90,8 +90,8 @@ export const isCreatePrivateFormInputCorrect = async (section: string, clientCon
Please write down your passphrase and store it in safe place or even two.
It is needed in order to access your FlowCrypt account.
</div>
<div class="passphrase-sticky-note">${notePp}</div>
`;
<div class="passphrase-sticky-note">${Xss.escape(notePp)}</div>
`; // xss-escaped
return await Ui.modal.confirmWithCheckbox('Yes, I wrote it down', paperPassPhraseStickyNote);
}
return true;
Expand Down
2 changes: 1 addition & 1 deletion extension/manifest.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -92,6 +92,6 @@
],
"minimum_chrome_version": "96",
"content_security_policy": {
"extension_pages": "script-src 'self'; frame-ancestors 'self' https://mail.google.com; img-src 'self' data: blob: https:; frame-src 'self' blob:; worker-src 'self'; form-action 'none'; media-src 'none'; font-src 'none'; manifest-src 'none'; object-src 'none'; base-uri 'self';"
"extension_pages": "script-src 'self'; default-src 'self'; frame-ancestors 'self' https://mail.google.com; img-src 'self' https://* data: blob:; frame-src 'self' blob:; worker-src 'self'; form-action 'none'; media-src 'none'; font-src 'none'; manifest-src 'none'; object-src 'none'; base-uri 'self'; connect-src 'self' https://flowcrypt.com https://*.flowcrypt.com https://flowcrypt.s3.amazonaws.com https://www.google.com https://gmail.googleapis.com;"
Copy link
Copy Markdown
Collaborator

@sosnovsky sosnovsky May 29, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

there are a lot of connection errors in console logs because of added strict connect-src rules:

Image

also refresh token requests fail:

Image

contacts search doesn't work too. WKD search won't work, as it requires connection to recipient's domain, which will fail with current connect-src.

we'll probably won't be able to list all used domains in connect-src config, so it'll be better to remove it.

}
}
20 changes: 17 additions & 3 deletions tooling/build-types-and-manifests.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -173,9 +173,23 @@ const makeMockBuild = (sourceBuildType: string) => {
edit(`${buildDir(mockBuildType)}/js/common/core/const.js`, editor);
edit(`${buildDir(mockBuildType)}/js/common/platform/catch.js`, editor);
edit(`${buildDir(mockBuildType)}/js/content_scripts/webmail_bundle.js`, editor);
edit(`${buildDir(mockBuildType)}/manifest.json`, code =>
code.replace(/https:\/\/mail\.google\.com/g, mockGmailPage).replace(/https:\/\/\*\.google.com\/\*/, 'https://google.localhost/*')
);
edit(`${buildDir(mockBuildType)}/manifest.json`, code => {
let updatedCode = code.replace(/https:\/\/mail\.google\.com/g, mockGmailPage).replace(/https:\/\/\*\.google.com\/\*/, 'https://google.localhost/*');
const manifest = JSON.parse(updatedCode) as chrome.runtime.ManifestV3;
if (manifest.content_security_policy?.extension_pages) {
const csp = manifest.content_security_policy.extension_pages;
if (csp) {
let updatedCsp = csp.replace(
/connect-src[^;]*/,
"connect-src 'self' https://localhost:* https://flowcrypt.com https://fes.flowcrypt.test https://fes.standardsubdomainfes.localhost:* https://fes.key-manager-server-offline.flowcrypt.test https://google.com https://www.google.com https://*.flowcrypt.com https://flowcrypt.s3.amazonaws.com https://*.localhost:* https://google.localhost:* https://gmail.localhost:*;"
);
updatedCsp += "; style-src 'self' 'unsafe-inline'";
manifest.content_security_policy.extension_pages = updatedCsp;
}
updatedCode = JSON.stringify(manifest, undefined, 2);
}
return updatedCode;
});
};

const makeLocalFesBuild = (sourceBuildType: string) => {
Expand Down
Loading