Or I just expose my malicious share to the Internet. No mounting step necessary. file://<Evil-IP>/evil.js
The CSP policy was 'self'. The problem is that all file:// URIs share an origin in Electron. So, 'self' is ALL file:// URIs.
For reference: https://github.com/electron/electron/issues/5151
If I remember correctly, on Windows you can reference file://<IP-Address>/path/to/file Thanks SMB / UNC Paths.
In Electron, all file:/// URIs share an origin. Using `script-src: 'self'` isn't much of a boundary.
They really missed an opportunity to have their URL be https://evaluate-csp.withgoogle.com Rolls off the tongue better than https://csp-evaluator.withgoogle.com.
Or I just expose my malicious share to the Internet. No mounting step necessary. file://<Evil-IP>/evil.js
The CSP policy was 'self'. The problem is that all file:// URIs share an origin in Electron. So, 'self' is ALL file:// URIs.
For reference: https://github.com/electron/electron/issues/5151
If I remember correctly, on Windows you can reference file://<IP-Address>/path/to/file Thanks SMB / UNC Paths.
In Electron, all file:/// URIs share an origin. Using `script-src: 'self'` isn't much of a boundary.
They really missed an opportunity to have their URL be https://evaluate-csp.withgoogle.com Rolls off the tongue better than https://csp-evaluator.withgoogle.com.