Commit 6541e1b2 authored by YJ's avatar YJ Committed by Amaury Martiny
Browse files

#516 Set CSP in Meta tag (#517)

* feat: set csp meta in index.html for prod

* fix grumbles
parent f2cb900f
Pipeline #36935 passed with stages
in 10 minutes and 41 seconds
...@@ -37,6 +37,9 @@ function setupRequestListeners (fetherApp) { ...@@ -37,6 +37,9 @@ function setupRequestListeners (fetherApp) {
); );
// Content Security Policy (CSP) // Content Security Policy (CSP)
// Note: `onHeadersReceived` will not be called in prod, because we use the
// file:// protocol:
// Instead, the CSP are the ones in the meta tag inside index.html
session.defaultSession.webRequest.onHeadersReceived((details, callback) => { session.defaultSession.webRequest.onHeadersReceived((details, callback) => {
pino.debug( pino.debug(
`Configuring Content-Security-Policy for environment ${ `Configuring Content-Security-Policy for environment ${
...@@ -4,8 +4,25 @@ ...@@ -4,8 +4,25 @@
<head> <head>
<meta charset="utf-8"> <meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no"> <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">
<!-- CSP defined in packages/fether-electron/src/main/app/methods/setupRequestListeners.js -->
<meta name="theme-color" content="#000000"> <meta name="theme-color" content="#000000">
<!-- These CSP are for prod. For dev, CSP are set inside @electron-app -->
<meta http-equiv="Content-Security-Policy" content="
child-src 'none';
connect-src https: ws:;
default-src 'none';
font-src 'none';
form-action 'none';
frame-src 'none';
img-src 'self' 'unsafe-inline' file: data: blob: https:;
manifest-src 'none';
media-src 'none';
object-src 'none';
prefetch-src 'none';
script-src 'self' 'unsafe-inline';
style-src 'self' 'unsafe-inline' http:;
worker-src blob:;
<!-- <!--
manifest.json provides metadata used when your web app is added to the manifest.json provides metadata used when your web app is added to the
homescreen on Android. See homescreen on Android. See
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment