Skip to content

[codex] security and privacy hardening#19

Draft
johnzfitch wants to merge 2 commits intoinvestblog:mainfrom
johnzfitch:codex/security-privacy-hardening
Draft

[codex] security and privacy hardening#19
johnzfitch wants to merge 2 commits intoinvestblog:mainfrom
johnzfitch:codex/security-privacy-hardening

Conversation

@johnzfitch
Copy link
Copy Markdown

@johnzfitch johnzfitch commented Feb 23, 2026
edited
Loading

Summary

This PR applies a focused security and privacy hardening pass to CookiePeek and updates dependency hygiene.

The core goals were:

  • reduce extension permission blast radius,
  • remove tracking query parameters from external links,
  • remove an innerHTML sink to lower future XSS regression risk,
  • remediate audit findings in the dependency tree,
  • keep behavior and tests stable.

User-Visible Effect

Users keep the same cookie management features and the popup external links remain available (store/review/support/social/sponsor).

Security/Privacy Impact

  • Host permissions were tightened from <all_urls> to http://*/* and https://*/*, removing unnecessary access to internal browser schemes.
  • Popup external links are still present, but tracking UTM parameters were removed from the 301 links.
  • The change-log close button no longer uses innerHTML; it is rendered via safe DOM helpers.
  • Dependency graph was updated and constrained with overrides to eliminate current npm audit high-severity findings.

Root Cause

  • The project initially used broad host permissions.
  • A static innerHTML assignment existed in UI code.
  • The prior lockfile/dependency graph pulled vulnerable transitive versions.

Implementation Details

  • wxt.config.ts
    • host_permissions changed to ['http://*/*', 'https://*/*'].
  • src/entrypoints/popup/main.ts
    • Retained external links; removed UTM tracking params from 301 links.
  • src/entrypoints/popup/components/change-log.ts
    • Replaced SVG innerHTML assignment with svgIcon(ICONS.x, 16).
  • package.json
    • Upgraded wxt to ^0.20.18.
    • Added overrides for tar and minimatch to force patched transitive versions.
  • package-lock.json
    • Regenerated for the above dependency changes.
  • src/background/cookies.ts
    • Updated cookie API typings for compatibility with current wxt browser typings.
  • docs/PRIVACY.md, docs/TESTING.md, docs/SPEC.md, README.md
    • Updated documentation to match hardened behavior and permission model.

Validation

Executed locally:

  • npm audit --package-lock-only -> found 0 vulnerabilities
  • npm run check
    • TypeScript: pass
    • Biome: pass
    • Vitest: 42 passed

Notes

This PR intentionally keeps functional scope narrow and focuses on privacy/security hardening plus dependency remediation.

@johnzfitch
Copy link
Copy Markdown
Author

johnzfitch commented Feb 23, 2026

@codex security review

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Awaiting requested review from Copilot Copilot will automatically review once the pull request is marked ready for review

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@johnzfitch