Summary
p2p-transfer/index.html:120 loads webtorrent from a third-party CDN at the moving @latest tag with no Subresource Integrity (SRI). A CDN incident or a malicious upstream release would execute attacker-controlled JavaScript in the app's origin, alongside the WASM bundle — with full access to peer transfers, share hashes, and any user data the app touches.
Found during a security audit of PR #41 (the warning is pre-existing, not introduced by that PR).
Location
p2p-transfer/index.html:120
<script src="https://cdn.jsdelivr.net/npm/webtorrent@latest/webtorrent.min.js">
Why this matters
- Moving tag (
@latest) — every page load resolves to whatever jsDelivr is serving at that moment. Any future upstream release is automatically loaded with no review.
- No SRI — there is no
integrity= / crossorigin= hash, so the browser cannot detect a tampered or substituted file.
- Origin trust — anything this script runs has the same privileges as the rest of the app: it can read peer share hashes, intercept file-picker results, redirect transfers, etc.
Likely status: dead boilerplate
The webtorrent library doesn't appear to be referenced anywhere else in the codebase. Per p2p-transfer/CLAUDE.md, the P2P transport is iroh + WebRTC relay, not WebTorrent. This looks like leftover scaffolding from the original eframe_template.
Suggested fix
Preferred — remove the tag entirely:
If the library is actually needed, pin a specific version with SRI:
<script
src="https://cdn.jsdelivr.net/npm/webtorrent@2.5.1/webtorrent.min.js"
integrity="sha384-..."
crossorigin="anonymous"></script>
(Generate the SRI hash with curl -sSL https://cdn.jsdelivr.net/npm/webtorrent@2.5.1/webtorrent.min.js | openssl dgst -sha384 -binary | openssl base64 -A.)
Related
Summary
p2p-transfer/index.html:120loadswebtorrentfrom a third-party CDN at the moving@latesttag with no Subresource Integrity (SRI). A CDN incident or a malicious upstream release would execute attacker-controlled JavaScript in the app's origin, alongside the WASM bundle — with full access to peer transfers, share hashes, and any user data the app touches.Found during a security audit of PR #41 (the warning is pre-existing, not introduced by that PR).
Location
p2p-transfer/index.html:120Why this matters
@latest) — every page load resolves to whatever jsDelivr is serving at that moment. Any future upstream release is automatically loaded with no review.integrity=/crossorigin=hash, so the browser cannot detect a tampered or substituted file.Likely status: dead boilerplate
The
webtorrentlibrary doesn't appear to be referenced anywhere else in the codebase. Perp2p-transfer/CLAUDE.md, the P2P transport is iroh + WebRTC relay, not WebTorrent. This looks like leftover scaffolding from the originaleframe_template.Suggested fix
Preferred — remove the tag entirely:
<!-- delete line 120 -->If the library is actually needed, pin a specific version with SRI:
(Generate the SRI hash with
curl -sSL https://cdn.jsdelivr.net/npm/webtorrent@2.5.1/webtorrent.min.js | openssl dgst -sha384 -binary | openssl base64 -A.)Related
<script src=...>is ignored) #43 — the same<script>tag also has a structural bug (inline service-worker registration that never runs). Both should be fixed in the same follow-up PR.