Or I just expose my malicious share to the Internet. No mounting step necessary.

file://<Evil-IP>/evil.js

The CSP policy was 'self'. The problem is that all file:// URIs share an origin in Electron.

So, 'self' is ALL file:// URIs.

In Electron, all file:/// URIs share an origin. Using `script-src: 'self'` isn't much of a boundary.

So let's say I'm able to run HTML in Signal Desktop. How do I include an arbitrary script without getting the user to download the script first?

If I remember correctly, on Windows you can reference file://<IP-Address>/path/to/file

Thanks SMB / UNC Paths.

For reference: https://github.com/electron/electron/issues/5151

They really missed an opportunity to have their URL be https://evaluate-csp.withgoogle.com

Rolls off the tongue better than https://csp-evaluator.withgoogle.com.

Agree with you, thought majority of the people will not pronounce this url ever.