From ff124dcdfbbc1fe3348c3063c9d1844e84bc75e6 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Thu, 2 Apr 2026 15:08:22 +0000
Subject: [PATCH] fix: use cryptographic nonce for extension webview CSP

Agent-Logs-Url: https://github.com/devNull-bootloader/openclaude/sessions/30a4694d-1125-4280-a593-74b5e3da601e

Co-authored-by: devNull-bootloader <189463177+devNull-bootloader@users.noreply.github.com>
---
 vscode-extension/openclaude-vscode/src/extension.js | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/vscode-extension/openclaude-vscode/src/extension.js b/vscode-extension/openclaude-vscode/src/extension.js
index b59725a3..daf48133 100644
--- a/vscode-extension/openclaude-vscode/src/extension.js
+++ b/vscode-extension/openclaude-vscode/src/extension.js
@@ -1,4 +1,5 @@
 const vscode = require('vscode');
+const crypto = require('crypto');
 
 function launchOpenClaude() {
   const configured = vscode.workspace.getConfiguration('openclaude');
@@ -39,7 +40,7 @@ class OpenClaudeControlCenterProvider {
   }
 
   getHtml(webview) {
-    const nonce = String(Date.now());
+    const nonce = crypto.randomBytes(16).toString('base64');
     return `<!DOCTYPE html>
 <html lang="en">
 <head>