[Bug][Security] tauri.conf.json: Content Security Policy is set to null, disabling XSS protection in the Tauri WebView

[anshul23102]

Bug Summary

src-tauri/tauri.conf.json explicitly sets the Content Security Policy to null:

"app": {
  "security": {
    "csp": null
  }
}

Setting csp: null in Tauri's configuration disables the built-in CSP enforcement entirely. Tauri's default CSP (when not explicitly set) restricts script execution to 'self' and blocks inline scripts, eval(), and external script sources. By setting it to null, the application removes this protection layer.

In a Tauri application, the frontend runs inside a native WebView. If any page rendered in the WebView contains an XSS vulnerability (for example, via dangerouslySetInnerHTML, unsanitized data rendered from the backend API, or third-party rich-text components), the absence of CSP means:

1. Injected scripts execute without restriction.
2. Tauri's inter-process communication (IPC) bridge (window.__TAURI__) is accessible from injected scripts, which could allow calling arbitrary Tauri commands with elevated native privileges.
3. There is no fallback browser-level restriction to limit the damage.

Expected Behavior

A restrictive CSP should be configured. At minimum:

"security": {
  "csp": "default-src 'self'; script-src 'self'; connect-src ipc: http://ipc.localhost;"
}

Actual Behavior

CSP is completely disabled. All inline scripts, eval(), and external resources are permitted in the WebView.

Affected File

src-tauri/tauri.conf.json

---

@NexGenStudioDev I would like to work on this issue. Could you please assign/ it to me? Contributing under NSoC '26.