I was curious as to the security context this runs in:

    curl -i 'https://porcini.us-east.host.bsky.network/xrpc/com.atproto.sync.getBlob?did=did:plc:j22nebhg6aek3kt2mex5ng7e&cid=bafkreic5fmelmhqoqxfjz2siw5ey43ixwlzg5gvv2pkkz7o25ikepv4zeq'

    x-powered-by: Express
    access-control-allow-origin: *
    cache-control: private
    vary: Authorization, Accept-Encoding
    ratelimit-limit: 3000
    ratelimit-remaining: 2998
    ratelimit-reset: 1732482126
    ratelimit-policy: 3000;w=300
    content-length: 268
    x-content-type-options: nosniff
    content-security-policy: default-src 'none'; sandbox
    content-type: text/html; charset=utf-8
    date: Sun, 24 Nov 2024 20:57:24 GMT
    strict-transport-security: max-age=63072000

"access-control-allow-origin: *" is interesting - it means you can access content hosted in this way using fetch() from JavaScript on any web page on any other domain.

"content-security-policy: default-src 'none'; sandbox" is very restrictive (which is good) - content hosted here won't be able to load additional scripts or images, and the sandbox tag means it can't run JavaScript either: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Co...

Blocking/allowlisting all JavaScript is the only way [1] to have a CSP fully contain an app (no exfiltration) [2] and with prefetch that might not be enough. The author is correct at the end to suggest using WebAssembly. (Also, it still has the issue of clicking links, which can be limited to certain domains or even data: by wrapping the untrusted code in an iframe and using child-src on the parent of the iframe)

1: https://github.com/w3c/webappsec/issues/656#issuecomment-246...

2: https://www.w3.org/TR/CSP3/#exfiltration

is the default-src necessary if you're using sandbox or is it redundant?