From 2e887f73097a13c2e3293a6f8b2fe665af2b47d5 Mon Sep 17 00:00:00 2001
From: martgil <martroblesit@gmail.com>
Date: Fri, 15 May 2026 14:04:11 +0800
Subject: [PATCH 1/4] fix: update manifest.json

---
 extension/manifest.json | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/extension/manifest.json b/extension/manifest.json
index 1dacb7dea2a..6ccc1de815a 100644
--- a/extension/manifest.json
+++ b/extension/manifest.json
@@ -98,6 +98,6 @@
   ],
   "minimum_chrome_version": "96",
   "content_security_policy": {
-    "extension_pages": "script-src 'self'; frame-ancestors https://mail.google.com 'self'; img-src 'self' https://* data: blob:; frame-src 'self' blob:; worker-src 'self'; form-action 'none'; media-src 'none'; font-src 'none'; manifest-src 'none'; object-src 'none'; base-uri 'self';"
+    "extension_pages": "script-src 'self' 'wasm-unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self' data: blob: https:; frame-src 'self' https://mail.google.com/ blob:; worker-src 'self'; connect-src 'self' https://*.google.com https://*.googleapis.com https://flowcrypt.com; default-src 'self'; frame-ancestors 'self' https://mail.google.com; base-uri 'self'; form-action 'self' https://accounts.google.com; font-src 'self' data:; manifest-src 'self'; object-src 'none'; media-src 'self' blob: https:; require-trusted-types-for 'script'; trusted-types default DOMPurify; upgrade-insecure-requests; block-all-mixed-content;"
   }
 }

From cbddd46bc60db790c52dcd3692b58529c43624cf Mon Sep 17 00:00:00 2001
From: martgil <martroblesit@gmail.com>
Date: Fri, 15 May 2026 14:05:06 +0800
Subject: [PATCH 2/4] 
 https://github.com/FlowCrypt/flowcrypt-security/issues/327

---
 extension/js/common/platform/xss.ts | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/extension/js/common/platform/xss.ts b/extension/js/common/platform/xss.ts
index 705f86e9ece..9e5c5c0536c 100644
--- a/extension/js/common/platform/xss.ts
+++ b/extension/js/common/platform/xss.ts
@@ -137,7 +137,7 @@ export class Xss {
         } else if (imgHandling === 'IMG-KEEP' && checkValidURL(src)) {
           // replace remote image with remote_image_container
           const remoteImgEl = `
-        <div class="remote_image_container" data-src="${src}" data-test="remote-image-container">
+        <div class="remote_image_container" data-src="${Xss.escape(src)}" data-test="remote-image-container">
           <span>Authenticity of this remote image cannot be verified.</span>
         </div>`;
           Xss.replaceElementDANGEROUSLY(img, remoteImgEl); // xss-safe-value
@@ -147,7 +147,7 @@ export class Xss {
       // Handle custom containers or CID-patterned src
       if ((node.classList.contains('remote_image_container') || CID_PATTERN.test(node.getAttribute('src') ?? '')) && imgHandling === 'IMG-TO-PLAIN-TEXT') {
         const replacement = node.getAttribute('data-src') ?? node.getAttribute('alt') ?? '';
-        Xss.replaceElementDANGEROUSLY(node, replacement); // xss-safe-value
+        Xss.replaceElementDANGEROUSLY(node, Xss.escape(replacement)); // xss-safe-value
       }
 
       // Handle links (target and rel attributes)
@@ -171,7 +171,7 @@ export class Xss {
     for (const imageContainer of imageContainerList) {
       const imgUrl = imageContainer.dataset.src;
       if (imgUrl) {
-        Xss.sanitizeAppend(imageContainer, `<img src="${imgUrl}"/>`);
+        Xss.sanitizeAppend(imageContainer, `<img src="${Xss.escape(imgUrl)}"/>`);
       }
     }
   };

From 5c889b0c739da306466b5ad992a81fa2b432a954 Mon Sep 17 00:00:00 2001
From: martgil <martroblesit@gmail.com>
Date: Tue, 19 May 2026 12:52:38 +0800
Subject: [PATCH 3/4] fix: update content security policy in manifest.json to
 allow localhost connections

---
 extension/manifest.json | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/extension/manifest.json b/extension/manifest.json
index 6ccc1de815a..351eaab1220 100644
--- a/extension/manifest.json
+++ b/extension/manifest.json
@@ -98,6 +98,6 @@
   ],
   "minimum_chrome_version": "96",
   "content_security_policy": {
-    "extension_pages": "script-src 'self' 'wasm-unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self' data: blob: https:; frame-src 'self' https://mail.google.com/ blob:; worker-src 'self'; connect-src 'self' https://*.google.com https://*.googleapis.com https://flowcrypt.com; default-src 'self'; frame-ancestors 'self' https://mail.google.com; base-uri 'self'; form-action 'self' https://accounts.google.com; font-src 'self' data:; manifest-src 'self'; object-src 'none'; media-src 'self' blob: https:; require-trusted-types-for 'script'; trusted-types default DOMPurify; upgrade-insecure-requests; block-all-mixed-content;"
+    "extension_pages": "script-src 'self' 'wasm-unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self' data: blob: https:; frame-src 'self' https://mail.google.com/ blob:; worker-src 'self'; connect-src 'self' http://localhost:* https://localhost:* http://127.0.0.1:* https://127.0.0.1:* https://*.google.com https://*.googleapis.com https://flowcrypt.com; default-src 'self'; frame-ancestors 'self' https://mail.google.com; base-uri 'self'; form-action 'self' https://accounts.google.com; font-src 'self' data:; manifest-src 'self'; object-src 'none'; media-src 'self' blob: https:; require-trusted-types-for 'script'; trusted-types default DOMPurify flowcrypt-policy; upgrade-insecure-requests; block-all-mixed-content;"
   }
 }

From 9f426b98305481181ef02e2df80daf9a88a38cee Mon Sep 17 00:00:00 2001
From: martgil <martroblesit@gmail.com>
Date: Tue, 19 May 2026 13:13:16 +0800
Subject: [PATCH 4/4] fix: simplify content security policy in manifest.json

---
 extension/manifest.json | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/extension/manifest.json b/extension/manifest.json
index d532d886854..c4bcbbf63ef 100644
--- a/extension/manifest.json
+++ b/extension/manifest.json
@@ -92,6 +92,6 @@
   ],
   "minimum_chrome_version": "96",
   "content_security_policy": {
-    "extension_pages": "script-src 'self' 'wasm-unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self' data: blob: https:; frame-src 'self' https://mail.google.com/ blob:; worker-src 'self'; connect-src 'self' http://localhost:* https://localhost:* http://127.0.0.1:* https://127.0.0.1:* https://*.google.com https://*.googleapis.com https://flowcrypt.com; default-src 'self'; frame-ancestors 'self' https://mail.google.com; base-uri 'self'; form-action 'self' https://accounts.google.com; font-src 'self' data:; manifest-src 'self'; object-src 'none'; media-src 'self' blob: https:; require-trusted-types-for 'script'; trusted-types default DOMPurify flowcrypt-policy; upgrade-insecure-requests; block-all-mixed-content;"
+    "extension_pages": "script-src 'self'; frame-ancestors 'self' https://mail.google.com; img-src 'self' data: blob: https:; frame-src 'self' blob:; worker-src 'self'; form-action 'none'; media-src 'none'; font-src 'none'; manifest-src 'none'; object-src 'none'; base-uri 'self';"
   }
 }