Surfaced during the security audit on PR #38. Critical findings (URL allowlist, Zod re-validation, TagChip color guard, encodeURIComponent) were fixed inline. These are the remaining Important / Minor items:
Items
-
CSP meta tag on packages/web/index.html. Defense in depth against any future XSS regression. Suggested:
```html
```
Tailwind needs `'unsafe-inline'` for styles in dev; consider a build-time extract for production.
-
Explicit `content_security_policy.extension_pages` on both extension manifests. MV3 defaults are already tight (`script-src 'self'`); making it explicit is documentation.
-
"Sign out / clear local data" button in the web UI header. `clearSettings()` exists in `packages/web/src/lib/settings.ts` but is unreachable from the UI. Users on shared machines currently need DevTools to revoke locally.
-
README guidance on PAT lifecycle. Extensions cannot clear `chrome.storage.local` on uninstall; document that users should revoke the PAT on github.com when removing the extension.
-
Filter unsafe URLs at `apply-remote.ts` boundary too. The extension's `apply-remote` writes to `chrome.bookmarks` which accepts any URL string. Currently we filter at save-time (`buildBookmark`) and render-time (`BookmarkRow`). Add a filter at the apply-remote boundary so a malicious bookmark from `bookmarks.json` doesn't reach the user's native bookmark tree where Chrome would happily open it.
Context
PR #38 fixed three Criticals + one Important. These are the remaining Important / Minor items from that same audit. Together they harden the codebase against future XSS regressions and improve the user-facing security UX.
Surfaced during the security audit on PR #38. Critical findings (URL allowlist, Zod re-validation, TagChip color guard, encodeURIComponent) were fixed inline. These are the remaining Important / Minor items:
Items
CSP meta tag on
packages/web/index.html. Defense in depth against any future XSS regression. Suggested:```html
```
Tailwind needs `'unsafe-inline'` for styles in dev; consider a build-time extract for production.
Explicit `content_security_policy.extension_pages` on both extension manifests. MV3 defaults are already tight (`script-src 'self'`); making it explicit is documentation.
"Sign out / clear local data" button in the web UI header. `clearSettings()` exists in `packages/web/src/lib/settings.ts` but is unreachable from the UI. Users on shared machines currently need DevTools to revoke locally.
README guidance on PAT lifecycle. Extensions cannot clear `chrome.storage.local` on uninstall; document that users should revoke the PAT on github.com when removing the extension.
Filter unsafe URLs at `apply-remote.ts` boundary too. The extension's `apply-remote` writes to `chrome.bookmarks` which accepts any URL string. Currently we filter at save-time (`buildBookmark`) and render-time (`BookmarkRow`). Add a filter at the apply-remote boundary so a malicious bookmark from `bookmarks.json` doesn't reach the user's native bookmark tree where Chrome would happily open it.
Context
PR #38 fixed three Criticals + one Important. These are the remaining Important / Minor items from that same audit. Together they harden the codebase against future XSS regressions and improve the user-facing security UX.