Problem
The app serves HTML with vendored JS libraries (xterm.js, Socket.IO, etc.) but has no Content-Security-Policy header. This leaves XSS mitigation on the table — if any injected script executes in the terminal UI context, it has access to the WebSocket connection and can send commands to the PTY.
Expected behavior
Add CSP headers that restrict script sources to self and known CDNs, block inline scripts where possible, and prevent framing by untrusted origins.
Impact
Without CSP, a successful XSS attack could:
- Execute arbitrary commands via the WebSocket/PTY connection
- Exfiltrate the Databricks PAT from the environment
- Access any data the terminal user can access
Problem
The app serves HTML with vendored JS libraries (xterm.js, Socket.IO, etc.) but has no Content-Security-Policy header. This leaves XSS mitigation on the table — if any injected script executes in the terminal UI context, it has access to the WebSocket connection and can send commands to the PTY.
Expected behavior
Add CSP headers that restrict script sources to self and known CDNs, block inline scripts where possible, and prevent framing by untrusted origins.
Impact
Without CSP, a successful XSS attack could: