From 6d3ee4d14fe5d7c20b785bd1debd42b478dd8e97 Mon Sep 17 00:00:00 2001 From: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com> Date: Mon, 18 Aug 2025 14:53:46 +0000 Subject: [PATCH] Add Cross-Origin-Opener-Policy header to CSP documentation for AppKit social login security - Added Cross-Origin-Opener-Policy: same-origin-allow-popups to the AppKit CSP example - Added explanatory note about tabnabbing protection for social login flows - Added 'tabnabbing' to spell check configuration to resolve linting issues This security header helps prevent tabnabbing attacks during OAuth flows with social providers like Google, GitHub, Discord, etc. Co-Authored-By: TomTom --- .cspell.json | 2 +- advanced/security/content-security-policy.mdx | 7 +++++++ 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/.cspell.json b/.cspell.json index 43ea06c53..28220158f 100644 --- a/.cspell.json +++ b/.cspell.json @@ -39,7 +39,7 @@ "nosocial", "bitget", "leather", "binance", "uniswap", "safepal", "bybit", "phantom", "ledger", "timeless-x", "safe", "zerion", "oneinch", "crypto-com", "imtoken", "kraken", "ronin", "robinhood", "exodus", "argent", "tokenpocket", "Contractaddress", "executionreverted", "FATF", "VASP", "LLMSTXT", "Frontmatter", "CASP", "DKMS", "hydradx", "phala", "astar", "mangata", "polkadotjs", "Dogecoin", "Blockbook", "vuejs", "xsmall", "rgba", "mintlify", "filteredwallets", "tnum","minmax","toolkits", "autoplay", "Litoshi", "Litoshis", "encryptor's", "Everscale", "Bitcore", "satoshis", "Parachain", "Bitcore", "walletlist", "Userflow", "retryable", "USDS", "Arbitrum", "Wolfswap", "Halborn", "Pentest", "Spearbit", "valtio", - "reshare", "microstacks", "Prebuild", "APKT", "offchain" + "reshare", "microstacks", "Prebuild", "APKT", "offchain", "tabnabbing" ] } diff --git a/advanced/security/content-security-policy.mdx b/advanced/security/content-security-policy.mdx index 383a8405f..0ea6bd4fe 100644 --- a/advanced/security/content-security-policy.mdx +++ b/advanced/security/content-security-policy.mdx @@ -20,6 +20,7 @@ img-src * 'self' data: blob: https://walletconnect.org https://walletconnect.com font-src 'self' https://fonts.gstatic.com; connect-src 'self' https://rpc.walletconnect.com https://rpc.walletconnect.org https://relay.walletconnect.com https://relay.walletconnect.org wss://relay.walletconnect.com wss://relay.walletconnect.org https://pulse.walletconnect.com https://pulse.walletconnect.org https://api.web3modal.com https://api.web3modal.org https://keys.walletconnect.com https://keys.walletconnect.org https://notify.walletconnect.com https://notify.walletconnect.org https://echo.walletconnect.com https://echo.walletconnect.org https://push.walletconnect.com https://push.walletconnect.org wss://www.walletlink.org; frame-src 'self' https://verify.walletconnect.com https://verify.walletconnect.org https://secure.walletconnect.com https://secure.walletconnect.org; +Cross-Origin-Opener-Policy: same-origin-allow-popups; ``` @@ -30,6 +31,12 @@ For a full of list of RPC sources used by `wagmi/viem`, please refer to [Viem's + + +**Cross-Origin-Opener-Policy for Social Login Security**: The `Cross-Origin-Opener-Policy: same-origin-allow-popups` header is essential when using AppKit's social login features (Google, X, GitHub, Discord, Apple, Facebook, Farcaster). This header helps prevent tabnabbing attacks during OAuth flows by controlling how popup windows can interact with your application. Without this header, malicious sites could potentially hijack the authentication flow and redirect users to phishing pages. + + + ## Testing and Deploying Your CSP ### Test Your CSP in a Staging Environment