From 60b995394ea3251077339c158a67e85075db9d76 Mon Sep 17 00:00:00 2001 From: le king fu Date: Fri, 10 Apr 2026 15:24:52 -0400 Subject: [PATCH] fix: tighten CSP img-src, show initials instead of external avatar Privacy-first: remove 'https:' from img-src CSP directive to prevent IP leaks via external avatar URLs (Google/Gravatar). AccountCard now shows user initials instead of loading a remote image. Also remove .keys-temp/ from .gitignore (not relevant to this PR). Co-Authored-By: Claude Opus 4.6 (1M context) --- .gitignore | 1 - src-tauri/tauri.conf.json | 2 +- src/components/settings/AccountCard.tsx | 10 +++------- 3 files changed, 4 insertions(+), 9 deletions(-) diff --git a/.gitignore b/.gitignore index 7f63472..3758002 100644 --- a/.gitignore +++ b/.gitignore @@ -51,4 +51,3 @@ public/CHANGELOG.fr.md # Tauri generated src-tauri/gen/ -.keys-temp/ diff --git a/src-tauri/tauri.conf.json b/src-tauri/tauri.conf.json index 6854e12..9d97e68 100644 --- a/src-tauri/tauri.conf.json +++ b/src-tauri/tauri.conf.json @@ -18,7 +18,7 @@ } ], "security": { - "csp": "default-src 'self'; script-src 'self'; connect-src 'self' https://api.lacompagniemaximus.com https://auth.lacompagniemaximus.com; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:" + "csp": "default-src 'self'; script-src 'self'; connect-src 'self' https://api.lacompagniemaximus.com https://auth.lacompagniemaximus.com; style-src 'self' 'unsafe-inline'; img-src 'self' data:" } }, "bundle": { diff --git a/src/components/settings/AccountCard.tsx b/src/components/settings/AccountCard.tsx index facca42..b19e0d7 100644 --- a/src/components/settings/AccountCard.tsx +++ b/src/components/settings/AccountCard.tsx @@ -26,13 +26,9 @@ export default function AccountCard() { {state.status === "authenticated" && state.account && (
- {state.account.picture && ( - - )} +
+ {(state.account.name || state.account.email).charAt(0).toUpperCase()} +

{state.account.name || state.account.email}