From 99f19d53dad8568e58afcd761f044198c80b0453 Mon Sep 17 00:00:00 2001 From: martgil Date: Fri, 22 May 2026 14:20:10 +0800 Subject: [PATCH 01/21] fix: sanitize user-provided content with Xss.escape to prevent potential XSS vulnerabilities --- extension/chrome/elements/pgp_pubkey.ts | 2 +- extension/chrome/settings/modules/contacts.ts | 7 +++++-- extension/js/common/ui/passphrase-ui.ts | 4 ++-- 3 files changed, 8 insertions(+), 5 deletions(-) diff --git a/extension/chrome/elements/pgp_pubkey.ts b/extension/chrome/elements/pgp_pubkey.ts index c8ac696180d..7081e0c4356 100644 --- a/extension/chrome/elements/pgp_pubkey.ts +++ b/extension/chrome/elements/pgp_pubkey.ts @@ -190,7 +190,7 @@ View.run( private showKeyNotUsableError = async () => { $('.error_container').removeClass('hidden'); - $('.error_introduce_label').html(`This OpenPGP key is not usable.
(${await this.getErrorText()})`); // xss-escaped + $('.error_introduce_label').html(`This OpenPGP key is not usable.
(${Xss.escape(await this.getErrorText())})`); // xss-escaped $('.hide_if_error').hide(); $('.fingerprints, .add_contact, #manual_import_warning').remove(); const email = this.firstParsedPublicKey ? KeyUtil.getPrimaryEmail(this.firstParsedPublicKey) : undefined; diff --git a/extension/chrome/settings/modules/contacts.ts b/extension/chrome/settings/modules/contacts.ts index 8912a086d96..432f3ccf993 100644 --- a/extension/chrome/settings/modules/contacts.ts +++ b/extension/chrome/settings/modules/contacts.ts @@ -175,13 +175,16 @@ View.run( } const key = await KeyUtil.parse(armoredPubkey); $('.hide_when_rendering_subpage').css('display', 'none'); - Xss.sanitizeRender('h1', `${this.backBtn}${this.space}${email}      `); + Xss.sanitizeRender('h1', `${this.backBtn}${this.space}${Xss.escape(email)}      `); // xss-escaped $('#view_contact .key_dump').text(armoredPubkey); $('#view_contact #container-pubkey-details').text( [ `Type: ${key.family}`, `Fingerprint: ${Str.spaced(key.id || 'none')}`, - `Users: ${key.users?.map(u => u.email).filter(Boolean).join(', ')}`, + `Users: ${key.users + ?.map(u => u.email) + .filter(Boolean) + .join(', ')}`, `Created on: ${key.created ? new Date(key.created) : ''}`, `Expiration: ${key.expiration ? new Date(key.expiration) : 'Does not expire'}`, `Last signature: ${key.lastModified ? new Date(key.lastModified) : ''}`, diff --git a/extension/js/common/ui/passphrase-ui.ts b/extension/js/common/ui/passphrase-ui.ts index 32f15e6149e..e1630e8cc10 100644 --- a/extension/js/common/ui/passphrase-ui.ts +++ b/extension/js/common/ui/passphrase-ui.ts @@ -90,8 +90,8 @@ export const isCreatePrivateFormInputCorrect = async (section: string, clientCon Please write down your passphrase and store it in safe place or even two. It is needed in order to access your FlowCrypt account. -
${notePp}
- `; +
${Xss.escape(notePp)}
+ `; // xss-escaped return await Ui.modal.confirmWithCheckbox('Yes, I wrote it down', paperPassPhraseStickyNote); } return true; From 17c01acfccc31336eb7651c8689b37549bb4d65e Mon Sep 17 00:00:00 2001 From: martgil Date: Fri, 22 May 2026 14:38:46 +0800 Subject: [PATCH 02/21] chore: add default-src to extension_pages content security policy --- extension/manifest.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/extension/manifest.json b/extension/manifest.json index c4bcbbf63ef..8ed3bfad867 100644 --- a/extension/manifest.json +++ b/extension/manifest.json @@ -92,6 +92,6 @@ ], "minimum_chrome_version": "96", "content_security_policy": { - "extension_pages": "script-src 'self'; frame-ancestors 'self' https://mail.google.com; img-src 'self' data: blob: https:; frame-src 'self' blob:; worker-src 'self'; form-action 'none'; media-src 'none'; font-src 'none'; manifest-src 'none'; object-src 'none'; base-uri 'self';" + "extension_pages": "script-src 'self'; default-src 'self'; frame-ancestors 'self' https://mail.google.com; img-src 'self' data: blob:; frame-src 'self' blob:; worker-src 'self'; form-action 'none'; media-src 'none'; font-src 'none'; manifest-src 'none'; object-src 'none'; base-uri 'self';" } } From 9afde36be259e0185e0fa9be9bef657c29ee231a Mon Sep 17 00:00:00 2001 From: martgil Date: Fri, 22 May 2026 16:09:19 +0800 Subject: [PATCH 03/21] chore: update manifest.json --- extension/manifest.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/extension/manifest.json b/extension/manifest.json index 8ed3bfad867..68305584127 100644 --- a/extension/manifest.json +++ b/extension/manifest.json @@ -92,6 +92,6 @@ ], "minimum_chrome_version": "96", "content_security_policy": { - "extension_pages": "script-src 'self'; default-src 'self'; frame-ancestors 'self' https://mail.google.com; img-src 'self' data: blob:; frame-src 'self' blob:; worker-src 'self'; form-action 'none'; media-src 'none'; font-src 'none'; manifest-src 'none'; object-src 'none'; base-uri 'self';" + "extension_pages": "script-src 'self'; default-src 'self'; frame-ancestors 'self' https://mail.google.com; img-src 'self' data: blob:; frame-src 'self' blob:; worker-src 'self'; form-action 'none'; media-src 'none'; font-src 'none'; manifest-src 'none'; object-src 'none'; base-uri 'self'; connect-src 'self' https://localhost https://flowcrypt.com https://*.flowcrypt.com;" } } From 49e58ded693489318816212c9ad40291c923c8fc Mon Sep 17 00:00:00 2001 From: martgil Date: Fri, 22 May 2026 16:34:23 +0800 Subject: [PATCH 04/21] refactor: use build-specific csp --- extension/manifest.json | 2 +- tooling/build-types-and-manifests.ts | 4 ++++ 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/extension/manifest.json b/extension/manifest.json index 68305584127..bd85885b691 100644 --- a/extension/manifest.json +++ b/extension/manifest.json @@ -92,6 +92,6 @@ ], "minimum_chrome_version": "96", "content_security_policy": { - "extension_pages": "script-src 'self'; default-src 'self'; frame-ancestors 'self' https://mail.google.com; img-src 'self' data: blob:; frame-src 'self' blob:; worker-src 'self'; form-action 'none'; media-src 'none'; font-src 'none'; manifest-src 'none'; object-src 'none'; base-uri 'self'; connect-src 'self' https://localhost https://flowcrypt.com https://*.flowcrypt.com;" + "extension_pages": "script-src 'self'; default-src 'self'; frame-ancestors 'self' https://mail.google.com; img-src 'self' data: blob:; frame-src 'self' blob:; worker-src 'self'; form-action 'none'; media-src 'none'; font-src 'none'; manifest-src 'none'; object-src 'none'; base-uri 'self'; connect-src 'self' https://flowcrypt.com https://*.flowcrypt.com;" } } diff --git a/tooling/build-types-and-manifests.ts b/tooling/build-types-and-manifests.ts index 97054225ffa..e07871edff8 100644 --- a/tooling/build-types-and-manifests.ts +++ b/tooling/build-types-and-manifests.ts @@ -205,6 +205,10 @@ const makeConsumerLocalBuild = () => { edit(`${buildDir(localBuildType)}/manifest.json`, code => { const manifest = JSON.parse(code) as chrome.runtime.ManifestV3; manifest.key = publicKey; + // eslint-disable-next-line @typescript-eslint/no-non-null-assertion + const csp = manifest.content_security_policy!.extension_pages; + // eslint-disable-next-line @typescript-eslint/no-non-null-assertion + manifest.content_security_policy!.extension_pages = csp!.replace(/connect-src[^;]*/, "connect-src 'self' https://localhost:*"); return JSON.stringify(manifest, undefined, 2); }); }; From a7670538fe1e54a802e1bb8aa0e2759f53ea023b Mon Sep 17 00:00:00 2001 From: martgil Date: Fri, 22 May 2026 17:02:51 +0800 Subject: [PATCH 05/21] refactor: move the connect-src patching to makeMockBuild --- tooling/build-types-and-manifests.ts | 17 ++++++++++------- 1 file changed, 10 insertions(+), 7 deletions(-) diff --git a/tooling/build-types-and-manifests.ts b/tooling/build-types-and-manifests.ts index e07871edff8..c30da542b55 100644 --- a/tooling/build-types-and-manifests.ts +++ b/tooling/build-types-and-manifests.ts @@ -173,9 +173,16 @@ const makeMockBuild = (sourceBuildType: string) => { edit(`${buildDir(mockBuildType)}/js/common/core/const.js`, editor); edit(`${buildDir(mockBuildType)}/js/common/platform/catch.js`, editor); edit(`${buildDir(mockBuildType)}/js/content_scripts/webmail_bundle.js`, editor); - edit(`${buildDir(mockBuildType)}/manifest.json`, code => - code.replace(/https:\/\/mail\.google\.com/g, mockGmailPage).replace(/https:\/\/\*\.google.com\/\*/, 'https://google.localhost/*') - ); + edit(`${buildDir(mockBuildType)}/manifest.json`, code => { + let updatedCode = code.replace(/https:\/\/mail\.google\.com/g, mockGmailPage).replace(/https:\/\/\*\.google.com\/\*/, 'https://google.localhost/*'); + const manifest = JSON.parse(updatedCode) as chrome.runtime.ManifestV3; + if (manifest.content_security_policy?.extension_pages) { + const csp = manifest.content_security_policy.extension_pages; + manifest.content_security_policy.extension_pages = csp.replace(/connect-src[^;]*/, "connect-src 'self' https://localhost:*"); + updatedCode = JSON.stringify(manifest, undefined, 2); + } + return updatedCode; + }); }; const makeLocalFesBuild = (sourceBuildType: string) => { @@ -205,10 +212,6 @@ const makeConsumerLocalBuild = () => { edit(`${buildDir(localBuildType)}/manifest.json`, code => { const manifest = JSON.parse(code) as chrome.runtime.ManifestV3; manifest.key = publicKey; - // eslint-disable-next-line @typescript-eslint/no-non-null-assertion - const csp = manifest.content_security_policy!.extension_pages; - // eslint-disable-next-line @typescript-eslint/no-non-null-assertion - manifest.content_security_policy!.extension_pages = csp!.replace(/connect-src[^;]*/, "connect-src 'self' https://localhost:*"); return JSON.stringify(manifest, undefined, 2); }); }; From b312de6653b50a3b321ec4705110c73d0fbb8281 Mon Sep 17 00:00:00 2001 From: martgil Date: Fri, 22 May 2026 17:47:58 +0800 Subject: [PATCH 06/21] test: fix failing test --- tooling/build-types-and-manifests.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tooling/build-types-and-manifests.ts b/tooling/build-types-and-manifests.ts index c30da542b55..46200b9c64a 100644 --- a/tooling/build-types-and-manifests.ts +++ b/tooling/build-types-and-manifests.ts @@ -178,7 +178,7 @@ const makeMockBuild = (sourceBuildType: string) => { const manifest = JSON.parse(updatedCode) as chrome.runtime.ManifestV3; if (manifest.content_security_policy?.extension_pages) { const csp = manifest.content_security_policy.extension_pages; - manifest.content_security_policy.extension_pages = csp.replace(/connect-src[^;]*/, "connect-src 'self' https://localhost:*"); + manifest.content_security_policy.extension_pages = csp.replace(/connect-src[^;]*/, "connect-src 'self' https://localhost:* https://flowcrypt.com"); updatedCode = JSON.stringify(manifest, undefined, 2); } return updatedCode; From 44de25998faa4764dfd3edeb1bfc85519e076921 Mon Sep 17 00:00:00 2001 From: martgil Date: Mon, 25 May 2026 10:40:00 +0800 Subject: [PATCH 07/21] test: add style-src unsafe inline csp directive --- tooling/build-types-and-manifests.ts | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/tooling/build-types-and-manifests.ts b/tooling/build-types-and-manifests.ts index 46200b9c64a..dc7557f61fb 100644 --- a/tooling/build-types-and-manifests.ts +++ b/tooling/build-types-and-manifests.ts @@ -178,7 +178,11 @@ const makeMockBuild = (sourceBuildType: string) => { const manifest = JSON.parse(updatedCode) as chrome.runtime.ManifestV3; if (manifest.content_security_policy?.extension_pages) { const csp = manifest.content_security_policy.extension_pages; - manifest.content_security_policy.extension_pages = csp.replace(/connect-src[^;]*/, "connect-src 'self' https://localhost:* https://flowcrypt.com"); + if (csp) { + let updatedCsp = csp.replace(/connect-src[^;]*/, "connect-src 'self' https://localhost:* https://flowcrypt.com https://fes.flowcrypt.test"); + updatedCsp += "; style-src 'self' 'unsafe-inline'"; + manifest.content_security_policy.extension_pages = updatedCsp; + } updatedCode = JSON.stringify(manifest, undefined, 2); } return updatedCode; From 31b219bcbf2156a2f6a4ca671a90209fb9672a1b Mon Sep 17 00:00:00 2001 From: martgil Date: Mon, 25 May 2026 11:02:15 +0800 Subject: [PATCH 08/21] test: add another host to connect-src csp --- tooling/build-types-and-manifests.ts | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/tooling/build-types-and-manifests.ts b/tooling/build-types-and-manifests.ts index dc7557f61fb..124892e784c 100644 --- a/tooling/build-types-and-manifests.ts +++ b/tooling/build-types-and-manifests.ts @@ -179,7 +179,10 @@ const makeMockBuild = (sourceBuildType: string) => { if (manifest.content_security_policy?.extension_pages) { const csp = manifest.content_security_policy.extension_pages; if (csp) { - let updatedCsp = csp.replace(/connect-src[^;]*/, "connect-src 'self' https://localhost:* https://flowcrypt.com https://fes.flowcrypt.test"); + let updatedCsp = csp.replace( + /connect-src[^;]*/, + "connect-src 'self' https://localhost:* https://flowcrypt.com https://fes.flowcrypt.test https://fes.standardsubdomainfes.localhost" + ); updatedCsp += "; style-src 'self' 'unsafe-inline'"; manifest.content_security_policy.extension_pages = updatedCsp; } From f019953ed8e38f3a37923e9c09e1596fe1f7f8f7 Mon Sep 17 00:00:00 2001 From: martgil Date: Mon, 25 May 2026 16:48:57 +0800 Subject: [PATCH 09/21] test: fix missing port on whitelisted domain --- tooling/build-types-and-manifests.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tooling/build-types-and-manifests.ts b/tooling/build-types-and-manifests.ts index 124892e784c..10b5f37a222 100644 --- a/tooling/build-types-and-manifests.ts +++ b/tooling/build-types-and-manifests.ts @@ -181,7 +181,7 @@ const makeMockBuild = (sourceBuildType: string) => { if (csp) { let updatedCsp = csp.replace( /connect-src[^;]*/, - "connect-src 'self' https://localhost:* https://flowcrypt.com https://fes.flowcrypt.test https://fes.standardsubdomainfes.localhost" + "connect-src 'self' https://localhost:* https://flowcrypt.com https://fes.flowcrypt.test https://fes.standardsubdomainfes.localhost:*" ); updatedCsp += "; style-src 'self' 'unsafe-inline'"; manifest.content_security_policy.extension_pages = updatedCsp; From 74c7181e9df7e1a9bfb8aab53e6a34ecb4e1948d Mon Sep 17 00:00:00 2001 From: martgil Date: Mon, 25 May 2026 17:46:04 +0800 Subject: [PATCH 10/21] test: update img-src --- extension/manifest.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/extension/manifest.json b/extension/manifest.json index bd85885b691..8a2d7554af9 100644 --- a/extension/manifest.json +++ b/extension/manifest.json @@ -92,6 +92,6 @@ ], "minimum_chrome_version": "96", "content_security_policy": { - "extension_pages": "script-src 'self'; default-src 'self'; frame-ancestors 'self' https://mail.google.com; img-src 'self' data: blob:; frame-src 'self' blob:; worker-src 'self'; form-action 'none'; media-src 'none'; font-src 'none'; manifest-src 'none'; object-src 'none'; base-uri 'self'; connect-src 'self' https://flowcrypt.com https://*.flowcrypt.com;" + "extension_pages": "script-src 'self'; default-src 'self'; frame-ancestors 'self' https://mail.google.com; img-src 'self' https://* data: blob:; frame-src 'self' blob:; worker-src 'self'; form-action 'none'; media-src 'none'; font-src 'none'; manifest-src 'none'; object-src 'none'; base-uri 'self'; connect-src 'self' https://flowcrypt.com https://*.flowcrypt.com;" } } From 5fd2d1a95c3c8bc76551fe4735c139742e7aba7e Mon Sep 17 00:00:00 2001 From: martgil Date: Mon, 25 May 2026 18:22:53 +0800 Subject: [PATCH 11/21] feat: add flowcrypt s3 to connect-src --- extension/manifest.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/extension/manifest.json b/extension/manifest.json index 8a2d7554af9..f4bdc6ef298 100644 --- a/extension/manifest.json +++ b/extension/manifest.json @@ -92,6 +92,6 @@ ], "minimum_chrome_version": "96", "content_security_policy": { - "extension_pages": "script-src 'self'; default-src 'self'; frame-ancestors 'self' https://mail.google.com; img-src 'self' https://* data: blob:; frame-src 'self' blob:; worker-src 'self'; form-action 'none'; media-src 'none'; font-src 'none'; manifest-src 'none'; object-src 'none'; base-uri 'self'; connect-src 'self' https://flowcrypt.com https://*.flowcrypt.com;" + "extension_pages": "script-src 'self'; default-src 'self'; frame-ancestors 'self' https://mail.google.com; img-src 'self' https://* data: blob:; frame-src 'self' blob:; worker-src 'self'; form-action 'none'; media-src 'none'; font-src 'none'; manifest-src 'none'; object-src 'none'; base-uri 'self'; connect-src 'self' https://flowcrypt.com https://*.flowcrypt.com https://flowcrypt.s3.amazonaws.com;" } } From 95b06e2fe82e628ec1ac490fb3990e1040a413cd Mon Sep 17 00:00:00 2001 From: martgil Date: Tue, 26 May 2026 10:55:47 +0800 Subject: [PATCH 12/21] feat: add google.com to connect-src --- extension/manifest.json | 2 +- tooling/build-types-and-manifests.ts | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/extension/manifest.json b/extension/manifest.json index f4bdc6ef298..d99b0ed51e9 100644 --- a/extension/manifest.json +++ b/extension/manifest.json @@ -92,6 +92,6 @@ ], "minimum_chrome_version": "96", "content_security_policy": { - "extension_pages": "script-src 'self'; default-src 'self'; frame-ancestors 'self' https://mail.google.com; img-src 'self' https://* data: blob:; frame-src 'self' blob:; worker-src 'self'; form-action 'none'; media-src 'none'; font-src 'none'; manifest-src 'none'; object-src 'none'; base-uri 'self'; connect-src 'self' https://flowcrypt.com https://*.flowcrypt.com https://flowcrypt.s3.amazonaws.com;" + "extension_pages": "script-src 'self'; default-src 'self'; frame-ancestors 'self' https://mail.google.com; img-src 'self' https://* data: blob:; frame-src 'self' blob:; worker-src 'self'; form-action 'none'; media-src 'none'; font-src 'none'; manifest-src 'none'; object-src 'none'; base-uri 'self'; connect-src 'self' https://flowcrypt.com https://*.flowcrypt.com https://flowcrypt.s3.amazonaws.com https://google.com;" } } diff --git a/tooling/build-types-and-manifests.ts b/tooling/build-types-and-manifests.ts index 10b5f37a222..310314accf3 100644 --- a/tooling/build-types-and-manifests.ts +++ b/tooling/build-types-and-manifests.ts @@ -181,7 +181,7 @@ const makeMockBuild = (sourceBuildType: string) => { if (csp) { let updatedCsp = csp.replace( /connect-src[^;]*/, - "connect-src 'self' https://localhost:* https://flowcrypt.com https://fes.flowcrypt.test https://fes.standardsubdomainfes.localhost:*" + "connect-src 'self' https://localhost:* https://flowcrypt.com https://fes.flowcrypt.test https://fes.standardsubdomainfes.localhost:* https://fes.key-manager-server-offline.flowcrypt.test" ); updatedCsp += "; style-src 'self' 'unsafe-inline'"; manifest.content_security_policy.extension_pages = updatedCsp; From 21d7ab39fe0466e3e6e9d6246a7fdd1f9975de55 Mon Sep 17 00:00:00 2001 From: martgil Date: Tue, 26 May 2026 11:22:32 +0800 Subject: [PATCH 13/21] test: add google.com to test csp --- tooling/build-types-and-manifests.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tooling/build-types-and-manifests.ts b/tooling/build-types-and-manifests.ts index 310314accf3..b8b1a4dc8d4 100644 --- a/tooling/build-types-and-manifests.ts +++ b/tooling/build-types-and-manifests.ts @@ -181,7 +181,7 @@ const makeMockBuild = (sourceBuildType: string) => { if (csp) { let updatedCsp = csp.replace( /connect-src[^;]*/, - "connect-src 'self' https://localhost:* https://flowcrypt.com https://fes.flowcrypt.test https://fes.standardsubdomainfes.localhost:* https://fes.key-manager-server-offline.flowcrypt.test" + "connect-src 'self' https://localhost:* https://flowcrypt.com https://fes.flowcrypt.test https://fes.standardsubdomainfes.localhost:* https://fes.key-manager-server-offline.flowcrypt.test https://google.com" ); updatedCsp += "; style-src 'self' 'unsafe-inline'"; manifest.content_security_policy.extension_pages = updatedCsp; From c1789d1271b179e28d4d34ebe9bb695c4537906e Mon Sep 17 00:00:00 2001 From: martgil Date: Tue, 26 May 2026 17:04:48 +0800 Subject: [PATCH 14/21] test: add new host to connect-src --- tooling/build-types-and-manifests.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tooling/build-types-and-manifests.ts b/tooling/build-types-and-manifests.ts index b8b1a4dc8d4..7502787a042 100644 --- a/tooling/build-types-and-manifests.ts +++ b/tooling/build-types-and-manifests.ts @@ -181,7 +181,7 @@ const makeMockBuild = (sourceBuildType: string) => { if (csp) { let updatedCsp = csp.replace( /connect-src[^;]*/, - "connect-src 'self' https://localhost:* https://flowcrypt.com https://fes.flowcrypt.test https://fes.standardsubdomainfes.localhost:* https://fes.key-manager-server-offline.flowcrypt.test https://google.com" + "connect-src 'self' https://localhost:* https://flowcrypt.com https://fes.flowcrypt.test https://fes.standardsubdomainfes.localhost:* https://fes.key-manager-server-offline.flowcrypt.test https://google.com https://flowcrypt.s3.amazonaws.com" ); updatedCsp += "; style-src 'self' 'unsafe-inline'"; manifest.content_security_policy.extension_pages = updatedCsp; From b42bf663196b31129ae9b403cab722443e9a2251 Mon Sep 17 00:00:00 2001 From: martgil Date: Tue, 26 May 2026 17:49:44 +0800 Subject: [PATCH 15/21] test: add even more hosts --- tooling/build-types-and-manifests.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tooling/build-types-and-manifests.ts b/tooling/build-types-and-manifests.ts index 7502787a042..fe97bc0d037 100644 --- a/tooling/build-types-and-manifests.ts +++ b/tooling/build-types-and-manifests.ts @@ -181,7 +181,7 @@ const makeMockBuild = (sourceBuildType: string) => { if (csp) { let updatedCsp = csp.replace( /connect-src[^;]*/, - "connect-src 'self' https://localhost:* https://flowcrypt.com https://fes.flowcrypt.test https://fes.standardsubdomainfes.localhost:* https://fes.key-manager-server-offline.flowcrypt.test https://google.com https://flowcrypt.s3.amazonaws.com" + "connect-src 'self' https://localhost:* https://flowcrypt.com https://fes.flowcrypt.test https://fes.standardsubdomainfes.localhost:* https://fes.key-manager-server-offline.flowcrypt.test https://google.com https://flowcrypt.s3.amazonaws.com https://flowcrypt.com https://*.flowcrypt.com https://flowcrypt.s3.amazonaws.com https://google.com https://localhost:* https://*.localhost:* https://google.localhost https://gmail.localhost:*;" ); updatedCsp += "; style-src 'self' 'unsafe-inline'"; manifest.content_security_policy.extension_pages = updatedCsp; From 81f3ea18d5eec10e26a83c4e16ae68b34ee7a93a Mon Sep 17 00:00:00 2001 From: martgil Date: Tue, 26 May 2026 18:09:22 +0800 Subject: [PATCH 16/21] test: add www.google.com to connect-src --- tooling/build-types-and-manifests.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tooling/build-types-and-manifests.ts b/tooling/build-types-and-manifests.ts index fe97bc0d037..728b5a28dab 100644 --- a/tooling/build-types-and-manifests.ts +++ b/tooling/build-types-and-manifests.ts @@ -181,7 +181,7 @@ const makeMockBuild = (sourceBuildType: string) => { if (csp) { let updatedCsp = csp.replace( /connect-src[^;]*/, - "connect-src 'self' https://localhost:* https://flowcrypt.com https://fes.flowcrypt.test https://fes.standardsubdomainfes.localhost:* https://fes.key-manager-server-offline.flowcrypt.test https://google.com https://flowcrypt.s3.amazonaws.com https://flowcrypt.com https://*.flowcrypt.com https://flowcrypt.s3.amazonaws.com https://google.com https://localhost:* https://*.localhost:* https://google.localhost https://gmail.localhost:*;" + "connect-src 'self' https://localhost:* https://flowcrypt.com https://fes.flowcrypt.test https://fes.standardsubdomainfes.localhost:* https://fes.key-manager-server-offline.flowcrypt.test https://google.com https://www.google.com/ https://flowcrypt.s3.amazonaws.com https://flowcrypt.com https://*.flowcrypt.com https://flowcrypt.s3.amazonaws.com https://google.com https://localhost:* https://*.localhost:* https://google.localhost https://gmail.localhost:*;" ); updatedCsp += "; style-src 'self' 'unsafe-inline'"; manifest.content_security_policy.extension_pages = updatedCsp; From 5080e2783b149a832748c28a711300d5344ce172 Mon Sep 17 00:00:00 2001 From: martgil Date: Tue, 26 May 2026 18:51:00 +0800 Subject: [PATCH 17/21] chore: de-duplicate hosts --- tooling/build-types-and-manifests.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tooling/build-types-and-manifests.ts b/tooling/build-types-and-manifests.ts index 728b5a28dab..59e0bd3da0f 100644 --- a/tooling/build-types-and-manifests.ts +++ b/tooling/build-types-and-manifests.ts @@ -181,7 +181,7 @@ const makeMockBuild = (sourceBuildType: string) => { if (csp) { let updatedCsp = csp.replace( /connect-src[^;]*/, - "connect-src 'self' https://localhost:* https://flowcrypt.com https://fes.flowcrypt.test https://fes.standardsubdomainfes.localhost:* https://fes.key-manager-server-offline.flowcrypt.test https://google.com https://www.google.com/ https://flowcrypt.s3.amazonaws.com https://flowcrypt.com https://*.flowcrypt.com https://flowcrypt.s3.amazonaws.com https://google.com https://localhost:* https://*.localhost:* https://google.localhost https://gmail.localhost:*;" + "connect-src 'self' https://localhost:* https://flowcrypt.com https://fes.flowcrypt.test https://fes.standardsubdomainfes.localhost:* https://fes.key-manager-server-offline.flowcrypt.test https://google.com https://www.google.com https://*.flowcrypt.com https://flowcrypt.s3.amazonaws.com https://localhost:* https://*.localhost:* https://google.localhost https://gmail.localhost:*;" ); updatedCsp += "; style-src 'self' 'unsafe-inline'"; manifest.content_security_policy.extension_pages = updatedCsp; From fb642047c97cdb9827dbcfd2843808b1325124a0 Mon Sep 17 00:00:00 2001 From: martgil Date: Tue, 26 May 2026 18:53:21 +0800 Subject: [PATCH 18/21] test: add whitelisted ports --- tooling/build-types-and-manifests.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tooling/build-types-and-manifests.ts b/tooling/build-types-and-manifests.ts index 59e0bd3da0f..b9f4b1f2907 100644 --- a/tooling/build-types-and-manifests.ts +++ b/tooling/build-types-and-manifests.ts @@ -181,7 +181,7 @@ const makeMockBuild = (sourceBuildType: string) => { if (csp) { let updatedCsp = csp.replace( /connect-src[^;]*/, - "connect-src 'self' https://localhost:* https://flowcrypt.com https://fes.flowcrypt.test https://fes.standardsubdomainfes.localhost:* https://fes.key-manager-server-offline.flowcrypt.test https://google.com https://www.google.com https://*.flowcrypt.com https://flowcrypt.s3.amazonaws.com https://localhost:* https://*.localhost:* https://google.localhost https://gmail.localhost:*;" + "connect-src 'self' https://localhost:* https://flowcrypt.com https://fes.flowcrypt.test https://fes.standardsubdomainfes.localhost:* https://fes.key-manager-server-offline.flowcrypt.test https://google.com https://www.google.com https://*.flowcrypt.com https://flowcrypt.s3.amazonaws.com https://localhost:* https://*.localhost:* https://google.localhost:* https://gmail.localhost:*;" ); updatedCsp += "; style-src 'self' 'unsafe-inline'"; manifest.content_security_policy.extension_pages = updatedCsp; From 71a094fa35c6791c888746d353e4b5067988db86 Mon Sep 17 00:00:00 2001 From: martgil Date: Tue, 26 May 2026 19:36:34 +0800 Subject: [PATCH 19/21] chore: prod-ready manifest.json --- extension/manifest.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/extension/manifest.json b/extension/manifest.json index d99b0ed51e9..df68a026b53 100644 --- a/extension/manifest.json +++ b/extension/manifest.json @@ -92,6 +92,6 @@ ], "minimum_chrome_version": "96", "content_security_policy": { - "extension_pages": "script-src 'self'; default-src 'self'; frame-ancestors 'self' https://mail.google.com; img-src 'self' https://* data: blob:; frame-src 'self' blob:; worker-src 'self'; form-action 'none'; media-src 'none'; font-src 'none'; manifest-src 'none'; object-src 'none'; base-uri 'self'; connect-src 'self' https://flowcrypt.com https://*.flowcrypt.com https://flowcrypt.s3.amazonaws.com https://google.com;" + "extension_pages": "script-src 'self'; default-src 'self'; frame-ancestors 'self' https://mail.google.com; img-src 'self' https://* data: blob:; frame-src 'self' blob:; worker-src 'self'; form-action 'none'; media-src 'none'; font-src 'none'; manifest-src 'none'; object-src 'none'; base-uri 'self'; connect-src 'self' https://flowcrypt.com https://*.flowcrypt.com https://flowcrypt.s3.amazonaws.com https://www.google.com https://gmail.googleapis.com;" } } From f9c3116a40b7952dc7cc62f2ef06c4c7d9852c87 Mon Sep 17 00:00:00 2001 From: martgil Date: Tue, 26 May 2026 19:36:46 +0800 Subject: [PATCH 20/21] chore: de-dupe hosts --- tooling/build-types-and-manifests.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tooling/build-types-and-manifests.ts b/tooling/build-types-and-manifests.ts index b9f4b1f2907..71c1e995500 100644 --- a/tooling/build-types-and-manifests.ts +++ b/tooling/build-types-and-manifests.ts @@ -181,7 +181,7 @@ const makeMockBuild = (sourceBuildType: string) => { if (csp) { let updatedCsp = csp.replace( /connect-src[^;]*/, - "connect-src 'self' https://localhost:* https://flowcrypt.com https://fes.flowcrypt.test https://fes.standardsubdomainfes.localhost:* https://fes.key-manager-server-offline.flowcrypt.test https://google.com https://www.google.com https://*.flowcrypt.com https://flowcrypt.s3.amazonaws.com https://localhost:* https://*.localhost:* https://google.localhost:* https://gmail.localhost:*;" + "connect-src 'self' https://localhost:* https://flowcrypt.com https://fes.flowcrypt.test https://fes.standardsubdomainfes.localhost:* https://fes.key-manager-server-offline.flowcrypt.test https://www.google.com https://*.flowcrypt.com https://flowcrypt.s3.amazonaws.com https://*.localhost:* https://google.localhost:* https://gmail.localhost:*;" ); updatedCsp += "; style-src 'self' 'unsafe-inline'"; manifest.content_security_policy.extension_pages = updatedCsp; From e82bb73730a42ce197d557b17983d8ebc9bf9e3d Mon Sep 17 00:00:00 2001 From: martgil Date: Fri, 29 May 2026 16:17:56 +0800 Subject: [PATCH 21/21] chore: re-add google.com host --- tooling/build-types-and-manifests.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tooling/build-types-and-manifests.ts b/tooling/build-types-and-manifests.ts index 71c1e995500..5d539128b09 100644 --- a/tooling/build-types-and-manifests.ts +++ b/tooling/build-types-and-manifests.ts @@ -181,7 +181,7 @@ const makeMockBuild = (sourceBuildType: string) => { if (csp) { let updatedCsp = csp.replace( /connect-src[^;]*/, - "connect-src 'self' https://localhost:* https://flowcrypt.com https://fes.flowcrypt.test https://fes.standardsubdomainfes.localhost:* https://fes.key-manager-server-offline.flowcrypt.test https://www.google.com https://*.flowcrypt.com https://flowcrypt.s3.amazonaws.com https://*.localhost:* https://google.localhost:* https://gmail.localhost:*;" + "connect-src 'self' https://localhost:* https://flowcrypt.com https://fes.flowcrypt.test https://fes.standardsubdomainfes.localhost:* https://fes.key-manager-server-offline.flowcrypt.test https://google.com https://www.google.com https://*.flowcrypt.com https://flowcrypt.s3.amazonaws.com https://*.localhost:* https://google.localhost:* https://gmail.localhost:*;" ); updatedCsp += "; style-src 'self' 'unsafe-inline'"; manifest.content_security_policy.extension_pages = updatedCsp;