add explicit content_security_policy

[juju4]

This should reduce security risk score as evaluated on
https://crxcavator.io/report/%7Bc07d1a49-9894-49ff-a594-38960ede8fb9%7D?platform=Firefox&new_scan=true

No XHR identified for connect-src

[sneakypete81]

Thanks for submitting this. However:

• connect-src is required to perform the scanning (loading HTML from any website).
• base-uri is required to load images/CSS when displaying the loaded HTML (this is done from a sandboxed iframe with scripts disabled).

I think the Firefox Webextension CSP defaults are reasonable: "script-src 'self'; object-src 'self';". But if you still have any specific concerns, please let me know.

[juju4]

does both are really needed for all websites? can't have a smaller approved list?

I believe default-src 'none'; is the main one that would help to drop risk score, at least for crxcavator.
if only this extra, would it be fine to merge?

[sneakypete81]

does both are really needed for all websites? can't have a smaller approved list?

It's not possible to list ahead of time all websites that a user might want to scan.

Default-src is the fallback for unspecified policies. If this were set to "none" then it would end up disabling a lot of the extension's functionality. See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/default-src.

[juju4]

but unspecified is the part where security is at play, ensure software does what it is designed to/specified and not anything else.
happy to add other policies where needed but would need some pointers. style-src for css. what else?