From 2ff3ab1d7fdb4ffbefa01b13410209f6b7838d2a Mon Sep 17 00:00:00 2001
From: adlee-was-taken <aaron.daniel.lee@gmail.com>
Date: Mon, 20 Apr 2026 20:33:09 -0400
Subject: [PATCH] feat(ext): drop setup.html / wasm from
 web_accessible_resources (audit C1)

setup.html is opened via chrome.tabs.create using a chrome-extension:// URL
which doesn't require WAR. WASM is bundled into service-worker.js/setup.js
and never fetched from a web page origin. Leaving them in WAR would expose
their URLs to any origin for probing/fingerprinting; shipping an empty WAR
array closes the surface.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 extension/manifest.firefox.json | 4 +---
 extension/manifest.json         | 5 +----
 2 files changed, 2 insertions(+), 7 deletions(-)

diff --git a/extension/manifest.firefox.json b/extension/manifest.firefox.json
index a80f427..14937a6 100644
--- a/extension/manifest.firefox.json
+++ b/extension/manifest.firefox.json
@@ -35,7 +35,5 @@
   "content_security_policy": {
     "extension_pages": "script-src 'self' 'wasm-unsafe-eval'; object-src 'self'"
   },
-  "web_accessible_resources": [{
-    "resources": ["setup.html", "setup.js", "styles.css", "relicario_wasm_bg.wasm", "relicario_wasm.js"]
-  }]
+  "web_accessible_resources": []
 }
diff --git a/extension/manifest.json b/extension/manifest.json
index db02853..7eb1630 100644
--- a/extension/manifest.json
+++ b/extension/manifest.json
@@ -30,8 +30,5 @@
   "content_security_policy": {
     "extension_pages": "script-src 'self' 'wasm-unsafe-eval'; object-src 'self'"
   },
-  "web_accessible_resources": [{
-    "resources": ["setup.html", "setup.js", "styles.css", "relicario_wasm_bg.wasm", "relicario_wasm.js"],
-    "matches": ["<all_urls>"]
-  }]
+  "web_accessible_resources": []
 }