Hacker News new | ask | show | jobs
by jlgaddis 2962 days ago
> ... or on a Samba network share that your computer is already connected to.

Does CSP prevent this working with, for example, a malicious.js file on a remote, attacker-controlled Samba server (configured to allow "anonymous" connections)?
1 comments
aegarbutt 2962 days ago
The CSP policy was 'self'. The problem is that all file:// URIs share an origin in Electron.

So, 'self' is ALL file:// URIs.

link