chore(linux): remove CSP tag on custom protocol response (#8984)

2024-07-14 19:10:28 +03:00 · 2024-02-26 13:08:19 -03:00 · 2024-02-26 13:08:19 -03:00 · bc5b5e671a
commit bc5b5e671a
parent 6cb601d42e
5 changed files with 12 additions and 26 deletions
--- a/.changes/csp-header-linux.md
+++ b/.changes/csp-header-linux.md
@ -0,0 +1,7 @@
+---
+"tauri": patch:enhance
+"tauri-utils": patch:enhance
+"tauri-codegen": patch:enhance
+---
+
+Do not include a CSP tag in the application HTML and rely on the custom protocol response header instead.
--- a/core/tauri-codegen/src/context.rs
+++ b/core/tauri-codegen/src/context.rs
@ -40,7 +40,6 @@ pub struct ContextData {

 fn map_core_assets(
  options: &AssetOptions,
-  target: Target,
 ) -> impl Fn(&AssetKey, &Path, &mut Vec<u8>, &mut CspHashes) -> Result<(), EmbeddedAssetsError> {
  #[cfg(feature = "isolation")]
  let pattern = tauri_utils::html::PatternObject::from(&options.pattern);
@ -53,10 +52,6 @@ fn map_core_assets(
      if csp {
        let document = parse_html(String::from_utf8_lossy(input).into_owned());

-        if target == Target::Linux {
-          ::tauri_utils::html::inject_csp_token(&document);
-        }
-
        inject_nonce_token(&document, &dangerous_disable_asset_csp_modification);

        if dangerous_disable_asset_csp_modification.can_modify("script-src") {
@ -176,7 +171,7 @@ pub fn context_codegen(data: ContextData) -> Result<TokenStream, EmbeddedAssetsE
              path
            )
          }
-          EmbeddedAssets::new(assets_path, &options, map_core_assets(&options, target))?
+          EmbeddedAssets::new(assets_path, &options, map_core_assets(&options))?
        }
        FrontendDist::Files(files) => EmbeddedAssets::new(
          files
@ -184,7 +179,7 @@ pub fn context_codegen(data: ContextData) -> Result<TokenStream, EmbeddedAssetsE
            .map(|p| config_parent.join(p))
            .collect::<Vec<_>>(),
          &options,
-          map_core_assets(&options, target),
+          map_core_assets(&options),
        )?,
        _ => unimplemented!(),
      },
--- a/core/tauri-runtime-wry/src/lib.rs
+++ b/core/tauri-runtime-wry/src/lib.rs
@ -2854,7 +2854,6 @@ fn handle_user_message<T: UserEvent>(
          }
          // Getters
          WebviewMessage::Url(tx) => {
-            println!("url getter");
            tx.send(webview.url().parse().unwrap()).unwrap();
          }
          WebviewMessage::Position(tx) => {
--- a/core/tauri-utils/src/html.rs
+++ b/core/tauri-utils/src/html.rs
@ -23,8 +23,6 @@ use crate::config::{DisabledCspModificationKind, PatternKind};
 #[cfg(feature = "isolation")]
 use crate::pattern::isolation::IsolationJavascriptCodegen;

-/// The token used on the CSP tag content.
-pub const CSP_TOKEN: &str = "__TAURI_CSP__";
 /// The token used for script nonces.
 pub const SCRIPT_NONCE_TOKEN: &str = "__TAURI_SCRIPT_NONCE__";
 /// The token used for style nonces.
@ -168,11 +166,6 @@ pub fn inject_csp(document: &NodeRef, csp: &str) {
  });
 }

-/// Injects a content security policy token to the HTML.
-pub fn inject_csp_token(document: &NodeRef) {
-  inject_csp(document, CSP_TOKEN)
-}
-
 fn create_csp_meta_tag(csp: &str) -> NodeRef {
  NodeRef::new_element(
    QualName::new(None, ns!(html), LocalName::from("meta")),
@ -298,12 +291,12 @@ mod tests {
    ];
    for html in htmls {
      let document = kuchiki::parse_html().one(html);
-      super::inject_csp_token(&document);
+      let csp = "csp-string";
+      super::inject_csp(&document, csp);
      assert_eq!(
        document.to_string(),
        format!(
-          r#"<html><head><meta http-equiv="Content-Security-Policy" content="{}"></head><body></body></html>"#,
-          super::CSP_TOKEN
+          r#"<html><head><meta http-equiv="Content-Security-Policy" content="{csp}"></head><body></body></html>"#,
        )
      );
    }
--- a/core/tauri/src/protocol/tauri.rs
+++ b/core/tauri/src/protocol/tauri.rs
@ -164,14 +164,6 @@ fn get_response<R: Runtime>(
  if let Some(handler) = &web_resource_request_handler {
    handler(request, &mut response);
  }
-  // if it's an HTML file, we need to set the CSP meta tag on Linux
-  #[cfg(target_os = "linux")]
-  if let Some(response_csp) = response.headers().get("Content-Security-Policy") {
-    let response_csp = String::from_utf8_lossy(response_csp.as_bytes());
-    let html = String::from_utf8_lossy(response.body());
-    let body = html.replacen(tauri_utils::html::CSP_TOKEN, &response_csp, 1);
-    *response.body_mut() = body.as_bytes().to_vec().into();
-  }

  Ok(response)
 }