security: enforce renderer CSP and externalize theme bootstrap

[Mehdi-Bl]

Summary

• add strict renderer CSP meta policy in src/renderer/public/index.html
• remove inline startup script and move dark-mode bootstrap to src/renderer/public/theme-bootstrap.js
• add CSP regression tests and documentation notes
• make QA screenshot harness CSP-safe (external stylesheet route instead of inline style injection)
• include renderer public scripts in Jest coverage collection so Sonar new-code coverage is enforced for CSP bootstrap script

Validation

• npm run lint
• npm test -- --runInBand
• npm run qa:screenshot
• xvfb-run -a npm run e2e:playwright:ci
• npm run test:stress
• make sonar

Performance Snapshot (stress)

• artifact: dist/benchmarks/ipc-latency-1771483000059.json
  • scenario: fs:getDirectoryTree-large-flat
  • p50: 36.17ms, p95: 38.37ms, p99: 38.37ms
• artifact: dist/benchmarks/event-loop-lag-1771483000380.json
  • scenario: fs:getDirectoryTree-event-loop-lag
  • p50: 1ms, p95: 4ms, p99: 5ms

Issue

• SEC-25: Renderer CSP hardening with safe bootstrap migration

[chatgpt-codex-connector]

You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard.
To continue using code reviews, you can upgrade your account or add credits to your account and enable them for code reviews in your settings.

[sourcery-ai]

Sorry @Mehdi-Bl, you have reached your weekly rate limit of 500000 diff characters.

Please try again later or upgrade to continue using Sourcery

[qodo-free-for-open-source-projects]

Review Summary by Qodo

Enforce renderer CSP and externalize theme bootstrap

✨ Enhancement 🧪 Tests

Walkthroughs

Description

• Add strict Content-Security-Policy meta tag to renderer HTML
• Externalize dark-mode bootstrap logic to separate JavaScript file
• Implement CSP regression tests ensuring no unsafe directives
• Document renderer CSP policy requirements and constraints

File Changes

1. src/renderer/public/index.html Security enhancement +5/-15

Add CSP meta tag and externalize theme bootstrap

• Add strict CSP meta tag with script-src 'self', style-src 'self', and other security
 directives
• Remove inline dark-mode bootstrap script (22 lines)
• Replace with external script reference to theme-bootstrap.js

src/renderer/public/index.html

---

2. src/renderer/public/theme-bootstrap.js ✨ Enhancement +22/-0

New external theme bootstrap script

• Create new file with dark-mode initialization logic
• Apply theme before React mounts to prevent light-theme flash
• Include error handling for unavailable storage/media APIs
• Use IIFE pattern to avoid global scope pollution

src/renderer/public/theme-bootstrap.js

---

3. tests/unit/main/csp-policy.test.ts 🧪 Tests +35/-0

New CSP policy regression tests

• Add test suite validating strict CSP policy presence
• Verify absence of 'unsafe-inline' and 'unsafe-eval' directives
• Confirm external script loading instead of inline scripts
• Test CSP meta tag structure and required directives

tests/unit/main/csp-policy.test.ts

---

View more (2)

4. docs/DEVELOPMENT.md 📝 Documentation +13/-0

Document renderer CSP policy requirements

• Add new "Renderer CSP Policy" section documenting security baseline
• Document required CSP directives and forbidden exceptions
• Explain rationale for externalizing dark-mode bootstrap

docs/DEVELOPMENT.md

---

5. tests/catalog.md 📝 Documentation +1/-0

Update test catalog with CSP policy test

• Add entry for new csp-policy.test.ts test file
• Document test coverage scope and target file

tests/catalog.md

---

[gemini-code-assist]

Summary of Changes

Hello @Mehdi-Bl, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request significantly enhances the application's security posture by enforcing a strict Content Security Policy within the renderer process. It also improves maintainability by refactoring the theme initialization logic into a dedicated external script, which is a necessary step to comply with the new security policy. These changes collectively reduce the attack surface and ensure a more robust and secure application environment.

Highlights

• Enhanced Security with Content Security Policy (CSP): A strict Content Security Policy has been implemented for the renderer process, specifically in src/renderer/public/index.html, to mitigate cross-site scripting (XSS) and other injection attacks. The policy disallows 'unsafe-inline' and 'unsafe-eval' scripts and styles.
• Externalized Theme Bootstrap Logic: The inline JavaScript responsible for applying dark mode at startup has been moved from src/renderer/public/index.html to a new external file, src/renderer/public/theme-bootstrap.js. This change is crucial for adhering to the strict CSP, which prohibits inline scripts.
• Added CSP Regression Tests and Documentation: New unit tests (tests/unit/main/csp-policy.test.ts) have been introduced to ensure the CSP policy contract is maintained and that no inline scripts are present in the renderer's index.html. Additionally, the docs/DEVELOPMENT.md file has been updated to document the new CSP policy.

🧠 New Feature in Public Preview: You can now enable Memory to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console.

Changelog

• docs/DEVELOPMENT.md
  • Added a new section detailing the renderer's Content Security Policy (CSP) and its directives.
  • Documented the externalization of the dark mode bootstrap script as a consequence of the strict CSP.
• src/renderer/public/index.html
  • Inserted a new <meta http-equiv="Content-Security-Policy" ...> tag to enforce a strict CSP.
  • Removed the inline JavaScript block responsible for initial dark mode application.
  • Updated the script tag to reference the newly externalized theme-bootstrap.js file.
• src/renderer/public/theme-bootstrap.js
  • Created a new JavaScript file containing the dark mode bootstrap logic previously embedded inline in index.html.
• tests/catalog.md
  • Added an entry for the new csp-policy.test.ts file, describing its purpose to validate the CSP and absence of inline scripts.
• tests/unit/main/csp-policy.test.ts
  • Created a new unit test file to verify the strictness of the renderer's CSP policy.
  • Added tests to ensure no 'unsafe-inline' or 'unsafe-eval' directives are present in the CSP.
  • Included tests to confirm that theme bootstrap is loaded from an external script and no inline scripts exist in index.html.

Activity

• No specific activity (comments, reviews, progress updates) has been recorded for this pull request yet.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[github-actions]

Dependency Review

✅ No vulnerabilities or license issues found.

Scanned Files

None

[gemini-code-assist]

Code Review

This pull request significantly improves the application's security by introducing a Content Security Policy (CSP) and removing inline scripts, alongside externalizing the theme bootstrap logic. However, a medium-severity vulnerability was identified where the connect-src directive is overly permissive, potentially allowing connections to insecure endpoints and weakening XSS protection. Further strengthening of the CSP is recommended, along with making the new CSP tests more robust.

[gemini-code-assist]

The connect-src directive in the Content Security Policy is overly permissive, allowing connections over https: and, more critically, http:. This constitutes a medium-severity vulnerability (Insecure Communication) as allowing http: undermines HTTPS security, making the application vulnerable to man-in-the-middle attacks and data exfiltration. It's strongly recommended to restrict this directive to 'self' and only specific, trusted domains, prioritizing https: for all external connections.

Suggested change

	content="default-src 'self'; script-src 'self'; style-src 'self'; img-src 'self' data: assets:; font-src 'self' data:; connect-src 'self' https: http:; object-src 'none'; base-uri 'none'; frame-ancestors 'none'; form-action 'none'"
	content="default-src 'self'; script-src 'self'; style-src 'self'; img-src 'self' data: assets:; font-src 'self' data:; connect-src 'self'; object-src 'none'; base-uri 'none'; frame-ancestors 'none'; form-action 'none'"

[gemini-code-assist]

The img-src directive includes assets:, which is not a standard CSP source keyword. If this is intended to allow images from a local assets directory, the 'self' keyword should already cover this. If assets: refers to a custom protocol scheme (e.g., in Electron), it would be beneficial to add a comment for clarity. If it's a typo or not needed, it should be removed to keep the policy clean.

Suggested change

	content="default-src 'self'; script-src 'self'; style-src 'self'; img-src 'self' data: assets:; font-src 'self' data:; connect-src 'self' https: http:; object-src 'none'; base-uri 'none'; frame-ancestors 'none'; form-action 'none'"
	content="default-src 'self'; script-src 'self'; style-src 'self'; img-src 'self' data:; font-src 'self' data:; connect-src 'self' https: http:; object-src 'none'; base-uri 'none'; frame-ancestors 'none'; form-action 'none'"

[gemini-code-assist]

This test is a great start for ensuring the CSP is enforced. To make it more robust and prevent accidental weakening of the policy in the future, consider using a snapshot test for the CSP value. This will ensure the entire policy is tracked and any changes must be explicitly reviewed and approved.

Suggested change

	it('defines a strict CSP policy without unsafe script/style exceptions', () => {
	const indexHtml = readRendererIndex();
	const cspMatch = indexHtml.match(
	/<meta\s+http-equiv="Content-Security-Policy"\s+content="([^"]+)"/
	);
	expect(cspMatch).not.toBeNull();
	const cspValue = cspMatch?.[1] ?? '';
	expect(cspValue).toContain("default-src 'self'");
	expect(cspValue).toContain("script-src 'self'");
	expect(cspValue).toContain("style-src 'self'");
	expect(cspValue).toContain("object-src 'none'");
	expect(cspValue).toContain("base-uri 'none'");
	expect(cspValue).not.toContain("'unsafe-inline'");
	expect(cspValue).not.toContain("'unsafe-eval'");
	});
	it('defines a strict CSP policy', () => {
	const indexHtml = readRendererIndex();
	const cspMatch = indexHtml.match(
	/<meta\s+http-equiv="Content-Security-Policy"\s+content="([^"_]+)"/
	);
	expect(cspMatch).not.toBeNull();
	const cspValue = cspMatch?.[1] ?? '';
	// A snapshot test ensures the entire policy is tracked.
	// Any change to the CSP will require the snapshot to be updated,
	// making regressions easier to spot during code review.
	expect(cspValue).toMatchSnapshot();
	// It's still a good idea to keep explicit checks for critical items.
	expect(cspValue).not.toContain("'unsafe-inline'");
	expect(cspValue).not.toContain("'unsafe-eval'");
	});

[qodo-free-for-open-source-projects]

Code Review by Qodo

🐞 Bugs (2) 📘 Rule violations (1) 📎 Requirement gaps (0)

1. qa:screenshot not run for UI change 📘 Rule violation ✓ Correctness

Description

The PR modifies startup UI rendering behavior by replacing the inline dark-mode bootstrap script
with an external theme-bootstrap.js file, which qualifies as a UI behavior change. The PR
description's validation section omits npm run qa:screenshot, violating the requirement to run
screenshot QA whenever UI behavior or layout changes are introduced.

Code

src/renderer/public/index.html[12]

+    <script src="./theme-bootstrap.js"></script>

Evidence

Compliance rule ID 4 requires npm run qa:screenshot to be executed and pass whenever UI behavior
or layout changes are included. The change at index.html line 12 replaces the inline dark-mode
script with <script src="./theme-bootstrap.js"></script>, directly altering the startup rendering
behavior (flash-of-light-theme prevention). The PR description lists npm run lint, `npm test --
--runInBand, xvfb-run -a npm run e2e:playwright:ci, npm run test:stress, and make sonar` — but
npm run qa:screenshot is entirely absent.

AGENTS.md
src/renderer/public/index.html[12-12]

Agent prompt

The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

## Issue description
The PR modifies startup UI rendering behavior — the inline dark-mode bootstrap script has been externalized to `theme-bootstrap.js` — but `npm run qa:screenshot` was not executed or reported in the PR validation steps.

## Issue Context
Compliance rule ID 4 requires the screenshot QA gate (`npm run qa:screenshot`) to pass whenever UI behavior or layout changes are introduced. The dark-mode bootstrap change affects the initial visual state of the application (prevents flash of light theme), which qualifies as a UI behavior change. The catalog at `tests/catalog.md` line 18 also lists `npm run qa:screenshot` as the designated UI screenshot gate command.

## Fix Focus Areas
- Run `npm run qa:screenshot` locally and confirm zero failures
- Add `npm run qa:screenshot` to the PR description validation section
- src/renderer/public/index.html[12-12]
- src/renderer/public/theme-bootstrap.js[1-22]

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

---

2. frame-ancestors ignored in meta CSP 🐞 Bug ⛨ Security

Description

The CSP specification explicitly prohibits frame-ancestors inside a `<meta
http-equiv='Content-Security-Policy'>` tag — browsers and Electron's Chromium engine are required to
silently ignore it. Since Electron loads the renderer via loadFile() (file:// protocol) with no
HTTP response headers and no onHeadersReceived hook, the intended clickjacking protection is
completely non-operational.

Code

src/renderer/public/index.html[R6-9]

+    <meta
+      http-equiv="Content-Security-Policy"
+      content="default-src 'self'; script-src 'self'; style-src 'self'; img-src 'self' data: assets:; font-src 'self' data:; connect-src 'self' https: http:; object-src 'none'; base-uri 'none'; frame-ancestors 'none'; form-action 'none'"
+    />

Evidence

The frame-ancestors 'none' directive is placed inside a <meta> tag in index.html. The CSP spec
mandates this directive be ignored in meta tags. Electron loads the renderer with loadFile()
(file:// protocol), so there are no HTTP response headers to carry the directive, and no
session-level CSP header injection exists in the main process.

src/renderer/public/index.html[6-9]
src/main/index.ts[210-215]

Agent prompt

The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

## Issue description
The `frame-ancestors 'none'` CSP directive is placed inside a `<meta http-equiv='Content-Security-Policy'>` tag. Per the CSP specification, this directive MUST be ignored when delivered via a meta tag — it is only effective via HTTP response headers. Electron loads the renderer using `loadFile()` (file:// protocol) with no HTTP headers, so the protection is completely non-functional.

## Issue Context
The directive appears in the meta CSP tag in `src/renderer/public/index.html`. The main process in `src/main/index.ts` uses `mainWindow.loadFile()` and has no `session.webRequest.onHeadersReceived` hook to inject HTTP-level CSP headers.

## Fix Focus Areas
- `src/renderer/public/index.html[8-8]` — Remove `frame-ancestors 'none'` from the `content` attribute of the meta CSP tag to avoid false security confidence
- `src/main/index.ts[264-310]` — Optionally add a `session.defaultSession.webRequest.onHeadersReceived` handler in `bootstrapApp()` to inject `Content-Security-Policy: frame-ancestors 'none'` as a real HTTP response header if framing protection is a genuine requirement

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

---

3. CSP test regex sensitive to attribute order 🐞 Bug ⛯ Reliability

Description

The test regex /<meta\s+http-equiv="Content-Security-Policy"\s+content="([^"]+)"/ requires
http-equiv to appear before content in the HTML. HTML attribute order is not standardized and
can be changed by formatters. If reordered, the regex fails to match, causing the test to fail with
a confusing null-assertion error rather than a meaningful CSP contract failure.

Code

tests/unit/main/csp-policy.test.ts[R11-13]

+    const cspMatch = indexHtml.match(
+      /<meta\s+http-equiv="Content-Security-Policy"\s+content="([^"]+)"/
+    );

Evidence

The regex on lines 11–13 of the test file uses sequential \s+ to match http-equiv then content
in that exact order. The current HTML has http-equiv on line 7 and content on line 8, so it
passes today — but any formatter reordering the attributes would break the match. The
expect(cspMatch).not.toBeNull() guard on line 15 would then fail with a null-assertion error,
obscuring the actual CSP contract intent.

tests/unit/main/csp-policy.test.ts[11-16]
src/renderer/public/index.html[6-9]

Agent prompt

The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

## Issue description
The CSP test regex requires HTML attributes in a specific order (`http-equiv` before `content`). HTML attribute order is not standardized and can be changed by code formatters, making the test brittle. If the order changes, the regex fails to match and the test fails with a confusing null-assertion error rather than a meaningful CSP contract failure.

## Issue Context
The regex is in `tests/unit/main/csp-policy.test.ts` lines 11–13. The current HTML in `src/renderer/public/index.html` has `http-equiv` before `content`, so the test passes today, but this is a fragile assumption.

## Fix Focus Areas
- `tests/unit/main/csp-policy.test.ts[11-13]` — Replace the order-sensitive regex with an order-agnostic one, for example:
 ```ts
 const cspMatch =
   indexHtml.match(/<meta[^>]*http-equiv="Content-Security-Policy"[^>]*content="([^"]+)"/s) ??
   indexHtml.match(/<meta[^>]*content="([^"]+)"[^>]*http-equiv="Content-Security-Policy"[^>]*>/s);
 ```
 Or extract the full `<meta>` block first, then extract the `content` attribute value separately.

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

---

ⓘ The new review experience is currently in Beta. Learn more

[qodo-free-for-open-source-projects]

1. qa:screenshot not run for ui change 📘 Rule violation ✓ Correctness

The PR modifies startup UI rendering behavior by replacing the inline dark-mode bootstrap script
with an external theme-bootstrap.js file, which qualifies as a UI behavior change. The PR
description's validation section omits npm run qa:screenshot, violating the requirement to run
screenshot QA whenever UI behavior or layout changes are introduced.

Agent Prompt

## Issue description
The PR modifies startup UI rendering behavior — the inline dark-mode bootstrap script has been externalized to `theme-bootstrap.js` — but `npm run qa:screenshot` was not executed or reported in the PR validation steps.

## Issue Context
Compliance rule ID 4 requires the screenshot QA gate (`npm run qa:screenshot`) to pass whenever UI behavior or layout changes are introduced. The dark-mode bootstrap change affects the initial visual state of the application (prevents flash of light theme), which qualifies as a UI behavior change. The catalog at `tests/catalog.md` line 18 also lists `npm run qa:screenshot` as the designated UI screenshot gate command.

## Fix Focus Areas
- Run `npm run qa:screenshot` locally and confirm zero failures
- Add `npm run qa:screenshot` to the PR description validation section
- src/renderer/public/index.html[12-12]
- src/renderer/public/theme-bootstrap.js[1-22]

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

[qodo-free-for-open-source-projects]

2. Frame-ancestors ignored in meta csp 🐞 Bug ⛨ Security

The CSP specification explicitly prohibits frame-ancestors inside a `<meta
http-equiv='Content-Security-Policy'>` tag — browsers and Electron's Chromium engine are required to
silently ignore it. Since Electron loads the renderer via loadFile() (file:// protocol) with no
HTTP response headers and no onHeadersReceived hook, the intended clickjacking protection is
completely non-operational.

Agent Prompt

## Issue description
The `frame-ancestors 'none'` CSP directive is placed inside a `<meta http-equiv='Content-Security-Policy'>` tag. Per the CSP specification, this directive MUST be ignored when delivered via a meta tag — it is only effective via HTTP response headers. Electron loads the renderer using `loadFile()` (file:// protocol) with no HTTP headers, so the protection is completely non-functional.

## Issue Context
The directive appears in the meta CSP tag in `src/renderer/public/index.html`. The main process in `src/main/index.ts` uses `mainWindow.loadFile()` and has no `session.webRequest.onHeadersReceived` hook to inject HTTP-level CSP headers.

## Fix Focus Areas
- `src/renderer/public/index.html[8-8]` — Remove `frame-ancestors 'none'` from the `content` attribute of the meta CSP tag to avoid false security confidence
- `src/main/index.ts[264-310]` — Optionally add a `session.defaultSession.webRequest.onHeadersReceived` handler in `bootstrapApp()` to inject `Content-Security-Policy: frame-ancestors 'none'` as a real HTTP response header if framing protection is a genuine requirement

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
100.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud