security: 为 Tauri WebView 启用最小 CSP

[H-Chris233]

User description

概述

• 将 Tauri WebView 从 csp: null 改为最小 CSP，避免无说明地关闭纵深防御。
• 限制脚本、对象、base URL、表单提交和嵌入来源，只保留 Tauri IPC 与开发模式本机连接。
• 增加 docs/tauri-csp.md 记录 CSP 边界，说明 provider / updater / 模型下载走 Rust 侧，不在 WebView CSP 放开外部域名。

验证

• npm run build
• npm run tauri -- info
• cargo check --manifest-path src-tauri/Cargo.toml

Closes #226

---

PR Type

Enhancement, Documentation

---

Description

• Replaced null CSP with minimal Content Security Policy.

• Restricted script, object, base, form, frame sources.

• Allowed only IPC, local dev, and inline styles.

• Added docs/tauri-csp.md explaining boundaries and Rust networking.

---

Diagram Walkthrough

flowchart LR
  A["Previous: WebView with csp: null"] -- "Enforce" --> B["Minimal CSP enabled"]
  B --> C["script-src: self-only"]
  B --> D["connect-src: IPC & local dev"]
  B --> E["object-src, base-uri, form-action: none"]
  B --> F["New doc: tauri-csp.md"]
  D -- "Keeps networking on Rust side" --> G["Provider/updater/model requests"]

Loading

File Walkthrough

	Relevant files
Documentation	tauri-csp.md Document CSP boundaries and rationale                                        docs/tauri-csp.md Added documentation explaining the minimal CSP and its boundaries. Lists permitted sources for scripts, styles, fonts, and connections. Clarifies that provider/updater/model networking uses Rust, not WebView fetch. Notes CSP is defense-in-depth; QA sanitizer remains primary XSS defense. +10/-0
Security	tauri.conf.json Enable minimal CSP in Tauri WebView config                              openless-all/app/src-tauri/tauri.conf.json Replaced csp: null with a minimal Content Security Policy. Set script-src to 'self', object-src/base-uri/form-action to 'none'. Allowed connect-src only for ipc:, localhost:1420, and WebSocket HMR. Permitted inline styles and Google Fonts for current React UI implementation. +12/-1

---

[chatgpt-codex-connector]

Codex usage limits have been reached for code reviews. Please check with the admins of this repo to increase the limits by adding credits.
Credits must be used to enable repository wide code reviews.

[github-actions]

PR Reviewer Guide 🔍

Here are some key observations to aid the review process:

🎫 Ticket compliance analysis ✅ 226 - PR Code Verified Compliant requirements: csp: null was replaced with an explicit CSP policy. A boundary/rationale document was added in docs/tauri-csp.md. script-src, object-src, base-uri, and connect-src are explicitly constrained. The use of unsafe-inline is documented with a local rationale. Requires further human verification: Main window, capsule, and QA window startup plus IPC behavior under the new CSP. Packaged-app verification that provider validation, model list requests, and update checks still work as expected.

⏱️ Estimated effort to review: 2 🔵🔵⚪⚪⚪

🧪 No relevant tests

🔒 No security concerns identified

⚡ No major issues detected