I ran a security review with Claude Fable 5 and it spotted a nasty problem. The current CSP mechanism means a malicious user with permission to create shared apps in an instance could build an app which deliberately leaks data via allow-list CSP, then trick another user of that instance into visiting that app and hence steal data that user has access to.
This is unacceptable. I'm going to solve it by having a different permission for setting CSP on a specific version of an app, that way only trusted users can set CSPs - and if an admin upgrades an innocent-looking app to have a CSP the author of the app will not be able to modify it to abuse that trust later on.
I ran a security review with Claude Fable 5 and it spotted a nasty problem. The current CSP mechanism means a malicious user with permission to create shared apps in an instance could build an app which deliberately leaks data via allow-list CSP, then trick another user of that instance into visiting that app and hence steal data that user has access to.
This is unacceptable. I'm going to solve it by having a different permission for setting CSP on a specific version of an app, that way only trusted users can set CSPs - and if an admin upgrades an innocent-looking app to have a CSP the author of the app will not be able to modify it to abuse that trust later on.