## codeNarration Extension README Overstates Command-URI Security Restrictions, Documentation Reveals
A critical discrepancy between stated security policy and actual implementation has been identified in the codeNarration Visual Studio Code extension. The project's README claims that all `command:` URIs within generated narration are restricted exclusively to a `codeNarration.reveal` handler, preventing arbitrary code execution from untrusted content. However, researchers examining the source code found that the actual implementation does not enforce this restriction.

In `src/extension.ts:238`, the webview is initialized with `enableCommandUris: true`, which permits all command URIs rather than limiting them to a specific handler. Additionally, `src/webview.ts:6` allows any `command:` URL to pass through the markdown validator without filtering. The gap between documentation and implementation creates a security boundary that users may reasonably but incorrectly assume exists when opening narration files from untrusted sources.

The maintainers acknowledge the vulnerability and have tracking issue #68 open for the substantive fix. Until that patch lands, the recommended interim measure is to soften the README language to accurately describe current behavior—specifically warning users that the webview's Content Security Policy enables the full `enableCommandUris` flag, and that opening narration on untrusted content carries inherent risk. The documentation correction should either happen immediately or be incorporated into the #68 pull request to prevent ongoing user misrepresentation about the actual security posture.
---
- **Source**: GitHub Issues
- **Sector**: The Lab
- **Tags**: security vulnerability, documentation gap, VS Code extension, command-URI bypass, CSP misconfiguration
- **Credibility**: unverified
- **Published**: 2026-05-14 05:48:32
- **ID**: 82915
- **URL**: https://whisperx.ai/en/intel/82915