Security Model
Also available: Markdown · Plain text
Security Model — Gnomad Webcanvas
Version: 0.1.0-beta.2
Last updated: June 2026
Trust boundaries
Gnomad Webcanvas executes user-authored HTML, CSS, and JavaScript in a preview iframe. The app itself is trusted; user code is untrusted.
┌─────────────────────────────────────────┐
│ Trusted: React UI, Monaco, Zustand │
│ Trusted: Tauri shell, dialog, fs │
├─────────────────────────────────────────┤
│ User-selected: local files (desktop) │
├─────────────────────────────────────────┤
│ Untrusted: preview iframe (user code) │
│ Third-party: CDN libraries (opt-in) │
└─────────────────────────────────────────┘
Preview sandbox
| Control | Implementation |
|---|---|
| User JS isolation | iframe with srcDoc — separate document context |
| No parent DOM access | iframe sandbox; no direct window.parent manipulation expected |
| Console relay | postMessage with typed liveview-console events only |
Limitation: iframe sandbox attributes are not maximally restrictive because inline scripts and styles are required for live preview. Treat preview as running arbitrary code.
Filesystem access (desktop)
| Rule | Detail |
|---|---|
| Scope | User-selected paths via native Open/Save dialogs only |
| Permissions | fs:allow-read-text-file, fs:allow-write-text-file in capabilities |
| No directory traversal | App does not browse filesystem outside dialog results |
Tauri capability file: src-tauri/capabilities/default.json
Network exposure
| Source | Network |
|---|---|
| User JS in preview | Can fetch any URL (browser/WebView network stack) |
| CDN libraries | Loaded when user toggles libraries (known registry in cdnRegistry.ts) |
| Monaco editor | Loads from CDN in development |
| App backend | None — no server component in v0.1 |
Recommendation: Do not enter secrets (API keys, tokens) in editor panes if sharing URLs or exporting ZIPs.
Data storage
| Data | Location | Sensitivity |
|---|---|---|
| Project code (web) | localStorage | Local only; survives browser restarts |
| Project code (desktop) | User-chosen .html files |
User-controlled |
| Share URLs | URL hash | Visible in browser history and referrer logs |
See PRIVACY.md.
Content Security Policy
tauri.conf.json sets csp: null to allow inline scripts in the WebView for preview assembly. This is acceptable because the app loads local bundled assets — not arbitrary remote HTML as the shell document.
Threat summary
| Threat | Mitigation | Residual risk |
|---|---|---|
| Malicious user JS in preview | iframe isolation | User runs own code deliberately |
| XSS via shared URL | Recipient loads attacker-crafted hash | Only open links from trusted sources |
| CDN supply chain | Curated registry; user opt-in | CDN compromise could affect preview |
| Path traversal on Save | Dialog-scoped paths only | Low |
| localStorage exfiltration | Same-origin policy | Other scripts on same origin could read (web hosting) |
Pre-release checklist
- No secrets in source or default templates
- Tauri capabilities minimal (fs + dialog only)
- CDN registry URLs use HTTPS
- Share URL payload contains no automatic network callbacks
- Release binaries built from tagged CI commits
Built with ❤️ by Gnomad Studio 🦙