docs: document WS broadcast scope gating and Control UI img-src CSP

2026-05-06 16:50:43 +00:00 · 2026-04-21 13:14:15 -07:00
parent 7d7c0b1dfe
commit 32ccf27e60
2 changed files with 23 additions and 0 deletions
--- a/docs/web/control-ui.md
+++ b/docs/web/control-ui.md
@@ -278,6 +278,18 @@ Trusted-proxy note:

 See [Tailscale](/gateway/tailscale) for HTTPS setup guidance.

+## Content Security Policy
+
+The Control UI ships with a tight `img-src` policy: only **same-origin** assets and `data:` URLs are allowed. Remote `http(s)` and protocol-relative image URLs are rejected by the browser and do not issue network fetches.
+
+What this means in practice:
+
+- Avatars and images served under relative paths (for example `/avatars/<id>`) still render.
+- Inline `data:image/...` URLs still render (useful for in-protocol payloads).
+- Remote avatar URLs emitted by channel metadata are stripped at the Control UI's avatar helpers and replaced with the built-in logo/badge, so a compromised or malicious channel cannot force arbitrary remote image fetches from an operator browser.
+
+You do not need to change anything to get this behavior — it is always on and not configurable.
+
 ## Building the UI

 The Gateway serves static files from `dist/control-ui`. Build them with: