bowong
/
mxivideo
6
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
mxivideo/docs/mixvideo-security-optimizat...

277 lines
7.5 KiB
Markdown
Raw Permalink Blame History

# MixVideo 安全配置优化建议
基于当前项目配置的安全优化方案
## 📊 当前配置分析
### 🔍 现有配置
```json
{
"security": {
"csp": "default-src 'self' ipc: http://ipc.localhost; img-src 'self' asset: http://asset.localhost data:; media-src 'self' asset: http://asset.localhost; video-src 'self' asset: http://asset.localhost; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'",
"assetProtocol": {
"enable": true,
"scope": ["**"]
}
}
}
```
### ⚠️ 安全风险评估
| 配置项 | 风险级别 | 问题描述 | 影响 |
|--------|----------|----------|------|
| `scope: ["**"]` | 🔴 高风险 | 允许访问所有文件系统 | 可能泄露敏感文件 |
| `'unsafe-inline'` | 🟡 中风险 | 允许内联脚本和样式 | XSS 攻击风险 |
| 缺少 `devCsp` | 🟡 中风险 | 开发和生产使用相同策略 | 开发体验受限 |
| 缺少 `freezePrototype` | 🟢 低风险 | 未防护原型污染 | 潜在安全隐患 |
---
## 🎯 优化建议
### 1. 立即优化 (高优先级)
#### AssetProtocol Scope 限制
```json
{
"assetProtocol": {
"enable": true,
"scope": [
"$HOME/.mixvideo/**",
"$APPDATA/mixvideo/**",
"$TEMP/mixvideo/**",
"$HOME/Videos/**",
"$HOME/Movies/**",
"$DESKTOP/**",
"$DOCUMENT/**"
]
}
}
```
**优势**:
- ✅ 限制文件访问范围
- ✅ 防止访问系统敏感文件
- ✅ 保持功能完整性
### 2. CSP 策略优化
#### 推荐配置
```json
{
"security": {
"csp": {
"default-src": ["'self'"],
"connect-src": ["'self'", "ipc:", "http://ipc.localhost"],
"img-src": ["'self'", "asset:", "http://asset.localhost", "data:"],
"media-src": ["'self'", "asset:", "http://asset.localhost"],
"video-src": ["'self'", "asset:", "http://asset.localhost"],
"script-src": ["'self'", "'unsafe-inline'"],
"style-src": ["'self'", "'unsafe-inline'"],
"font-src": ["'self'", "data:"]
},
"devCsp": {
"default-src": ["'self'", "'unsafe-eval'"],
"connect-src": ["'self'", "ipc:", "http://ipc.localhost", "ws:", "wss:"],
"img-src": ["'self'", "asset:", "http://asset.localhost", "data:"],
"media-src": ["'self'", "asset:", "http://asset.localhost"],
"video-src": ["'self'", "asset:", "http://asset.localhost"],
"script-src": ["'self'", "'unsafe-inline'", "'unsafe-eval'"],
"style-src": ["'self'", "'unsafe-inline'"],
"font-src": ["'self'", "data:"]
}
}
}
```
**优势**:
- ✅ 分离开发和生产环境
- ✅ 支持热重载 (`'unsafe-eval'` 仅开发环境)
- ✅ 支持 WebSocket 连接 (开发环境)
### 3. 完整优化配置
#### 生产就绪配置
```json
{
"app": {
"security": {
"csp": {
"default-src": ["'self'"],
"connect-src": ["'self'", "ipc:", "http://ipc.localhost"],
"img-src": ["'self'", "asset:", "http://asset.localhost", "data:"],
"media-src": ["'self'", "asset:", "http://asset.localhost"],
"video-src": ["'self'", "asset:", "http://asset.localhost"],
"script-src": ["'self'", "'unsafe-inline'"],
"style-src": ["'self'", "'unsafe-inline'"],
"font-src": ["'self'", "data:"],
"object-src": ["'none'"],
"base-uri": ["'self'"],
"form-action": ["'self'"]
},
"devCsp": {
"default-src": ["'self'", "'unsafe-eval'"],
"connect-src": ["'self'", "ipc:", "http://ipc.localhost", "ws://localhost:*", "wss://localhost:*"],
"img-src": ["'self'", "asset:", "http://asset.localhost", "data:"],
"media-src": ["'self'", "asset:", "http://asset.localhost"],
"video-src": ["'self'", "asset:", "http://asset.localhost"],
"script-src": ["'self'", "'unsafe-inline'", "'unsafe-eval'"],
"style-src": ["'self'", "'unsafe-inline'"],
"font-src": ["'self'", "data:"],
"object-src": ["'none'"],
"base-uri": ["'self'"],
"form-action": ["'self'"]
},
"assetProtocol": {
"enable": true,
"scope": [
"$HOME/.mixvideo/**",
"$APPDATA/mixvideo/**",
"$LOCALAPPDATA/mixvideo/**",
"$TEMP/mixvideo/**",
"$HOME/Videos/**",
"$HOME/Movies/**",
"$HOME/Pictures/**",
"$DESKTOP/**",
"$DOCUMENT/**",
"$DOWNLOAD/**"
]
},
"freezePrototype": true,
"dangerousDisableAssetCspModification": false
}
}
}
```
---
## 🔄 迁移步骤
### 步骤 1: 备份当前配置
```bash
cp src-tauri/tauri.conf.json src-tauri/tauri.conf.json.backup
```
### 步骤 2: 渐进式更新
#### 2.1 首先限制 AssetProtocol Scope
```json
{
"assetProtocol": {
"enable": true,
"scope": [
"$HOME/.mixvideo/**",
"$APPDATA/mixvideo/**",
"$TEMP/mixvideo/**",
"$HOME/Videos/**",
"$HOME/Movies/**"
]
}
}
```
#### 2.2 测试基本功能
- 视频导入
- 视频播放
- 文件保存
#### 2.3 添加开发环境 CSP
```json
{
"devCsp": {
"default-src": ["'self'", "'unsafe-eval'"],
"connect-src": ["'self'", "ipc:", "http://ipc.localhost", "ws:", "wss:"],
"img-src": ["'self'", "asset:", "http://asset.localhost", "data:"],
"media-src": ["'self'", "asset:", "http://asset.localhost"],
"video-src": ["'self'", "asset:", "http://asset.localhost"],
"script-src": ["'self'", "'unsafe-inline'", "'unsafe-eval'"],
"style-src": ["'self'", "'unsafe-inline'"],
"font-src": ["'self'", "data:"]
}
}
```
#### 2.4 转换生产 CSP 为对象格式
```json
{
"csp": {
"default-src": ["'self'"],
"connect-src": ["'self'", "ipc:", "http://ipc.localhost"],
"img-src": ["'self'", "asset:", "http://asset.localhost", "data:"],
"media-src": ["'self'", "asset:", "http://asset.localhost"],
"video-src": ["'self'", "asset:", "http://asset.localhost"],
"script-src": ["'self'", "'unsafe-inline'"],
"style-src": ["'self'", "'unsafe-inline'"],
"font-src": ["'self'", "data:"]
}
}
```
### 步骤 3: 验证和测试
#### 3.1 功能测试清单
- [ ] 视频文件导入
- [ ] 视频播放和预览
- [ ] 图片资源显示
- [ ] 模板导入和使用
- [ ] 项目保存和加载
- [ ] Python 脚本执行
- [ ] 开发热重载
#### 3.2 安全测试
- [ ] 尝试访问系统敏感文件
- [ ] 检查 CSP 违规报告
- [ ] 验证文件访问权限
---
## 🚨 注意事项
### 1. Windows 路径兼容性
确保 scope 配置支持 Windows 路径:
```json
{
"scope": [
"$APPDATA/mixvideo/**",
"$LOCALAPPDATA/mixvideo/**",
"C:\\Users\\*\\Videos\\**",
"C:\\Users\\*\\Documents\\**"
]
}
```
### 2. 开发环境特殊需求
- 保留 `'unsafe-eval'` 用于热重载
- 添加 WebSocket 支持用于开发服务器
- 允许 localhost 连接
### 3. 生产环境安全
- 移除所有 `unsafe-*` 指令(除非必要)
- 严格限制文件访问范围
- 启用原型冻结保护
---
## 📈 预期收益
### 安全性提升
- 🔒 **文件系统保护**: 限制访问范围,防止敏感文件泄露
- 🛡️ **XSS 防护**: 更严格的 CSP 策略
- 🔐 **原型污染防护**: 启用 freezePrototype
### 开发体验
- 🚀 **热重载支持**: 开发环境允许 eval
- 🔧 **调试友好**: WebSocket 和开发工具支持
-**性能优化**: 更精确的资源加载策略
### 维护性
- 📝 **配置清晰**: 对象格式更易读和维护
- 🔄 **环境分离**: 开发和生产配置独立
- 📊 **监控友好**: 更好的 CSP 违规报告
---
*建议在测试环境中先验证配置,确认功能正常后再应用到生产环境*
Reference in New Issue View Git Blame Copy Permalink