[zaphod420]

One of the comments on the github issue... https://github.com/LedgerHQ/connect-kit/issues/29

"The @ledgerhq/connect-kit-loader allows dApps to load Connect Kit at runtime from a CDN so that we can improve the logic and UI without users having to wait for wallet libraries and dApps updating package versions and releasing new builds.

This looks like an extremely dangerous approach now, if I understand it correctly, connect-kit-loader trusts whatever the CDN throws at your dApps. So when connect-kit is comprised, all downstream dApps are automatically exposed."

[meehow]

So it was intended to be used this way. Didn't work very well. Connect-kit-loader trusts whatever the CDN throws, CDN trusts whatever NPM throws and NPM trusts whatever GitHub throws.

[lxgr]

Is there even an alternative? Once you can inject arbitrary code into a library that a web app loads and executes (except if it’s in an iFrame), it’s game over, no?

[chrisandchris]

Partially, one could use a Content-Security-Policy to lock things further down.