CSP is disabled ("csp": null) #17
Description
Description
In src-tauri/tauri.conf.json:51, the Content Security Policy is explicitly set to null:
"security": {
"csp": null,
...
}This disables all CSP protections, increasing the attack surface for XSS if any user-controlled content is rendered (e.g., filenames, paths displayed in the UI).
Suggested fix
Configure a reasonable CSP that allows the app's own assets, inline styles (for Tailwind), and data: URIs (for base64 image previews), while blocking everything else. Example starting point:
default-src 'self'; img-src 'self' data:; style-src 'self' 'unsafe-inline'; script-src 'self'