diff --git a/.changes/csp-header-linux.md b/.changes/csp-header-linux.md new file mode 100644 index 000000000..4ca673cc3 --- /dev/null +++ b/.changes/csp-header-linux.md @@ -0,0 +1,7 @@ +--- +"tauri": patch:enhance +"tauri-utils": patch:enhance +"tauri-codegen": patch:enhance +--- + +Do not include a CSP tag in the application HTML and rely on the custom protocol response header instead. diff --git a/core/tauri-codegen/src/context.rs b/core/tauri-codegen/src/context.rs index d371580bf..3b48f247a 100644 --- a/core/tauri-codegen/src/context.rs +++ b/core/tauri-codegen/src/context.rs @@ -40,7 +40,6 @@ pub struct ContextData { fn map_core_assets( options: &AssetOptions, - target: Target, ) -> impl Fn(&AssetKey, &Path, &mut Vec, &mut CspHashes) -> Result<(), EmbeddedAssetsError> { #[cfg(feature = "isolation")] let pattern = tauri_utils::html::PatternObject::from(&options.pattern); @@ -53,10 +52,6 @@ fn map_core_assets( if csp { let document = parse_html(String::from_utf8_lossy(input).into_owned()); - if target == Target::Linux { - ::tauri_utils::html::inject_csp_token(&document); - } - inject_nonce_token(&document, &dangerous_disable_asset_csp_modification); if dangerous_disable_asset_csp_modification.can_modify("script-src") { @@ -176,7 +171,7 @@ pub fn context_codegen(data: ContextData) -> Result EmbeddedAssets::new( files @@ -184,7 +179,7 @@ pub fn context_codegen(data: ContextData) -> Result>(), &options, - map_core_assets(&options, target), + map_core_assets(&options), )?, _ => unimplemented!(), }, diff --git a/core/tauri-runtime-wry/src/lib.rs b/core/tauri-runtime-wry/src/lib.rs index 49fd5a818..fb1f5dfd1 100644 --- a/core/tauri-runtime-wry/src/lib.rs +++ b/core/tauri-runtime-wry/src/lib.rs @@ -2854,7 +2854,6 @@ fn handle_user_message( } // Getters WebviewMessage::Url(tx) => { - println!("url getter"); tx.send(webview.url().parse().unwrap()).unwrap(); } WebviewMessage::Position(tx) => { diff --git a/core/tauri-utils/src/html.rs b/core/tauri-utils/src/html.rs index 082a5daad..09a6d0754 100644 --- a/core/tauri-utils/src/html.rs +++ b/core/tauri-utils/src/html.rs @@ -23,8 +23,6 @@ use crate::config::{DisabledCspModificationKind, PatternKind}; #[cfg(feature = "isolation")] use crate::pattern::isolation::IsolationJavascriptCodegen; -/// The token used on the CSP tag content. -pub const CSP_TOKEN: &str = "__TAURI_CSP__"; /// The token used for script nonces. pub const SCRIPT_NONCE_TOKEN: &str = "__TAURI_SCRIPT_NONCE__"; /// The token used for style nonces. @@ -168,11 +166,6 @@ pub fn inject_csp(document: &NodeRef, csp: &str) { }); } -/// Injects a content security policy token to the HTML. -pub fn inject_csp_token(document: &NodeRef) { - inject_csp(document, CSP_TOKEN) -} - fn create_csp_meta_tag(csp: &str) -> NodeRef { NodeRef::new_element( QualName::new(None, ns!(html), LocalName::from("meta")), @@ -298,12 +291,12 @@ mod tests { ]; for html in htmls { let document = kuchiki::parse_html().one(html); - super::inject_csp_token(&document); + let csp = "csp-string"; + super::inject_csp(&document, csp); assert_eq!( document.to_string(), format!( - r#""#, - super::CSP_TOKEN + r#""#, ) ); } diff --git a/core/tauri/src/protocol/tauri.rs b/core/tauri/src/protocol/tauri.rs index d7629d7c4..fa36fd6ec 100644 --- a/core/tauri/src/protocol/tauri.rs +++ b/core/tauri/src/protocol/tauri.rs @@ -164,14 +164,6 @@ fn get_response( if let Some(handler) = &web_resource_request_handler { handler(request, &mut response); } - // if it's an HTML file, we need to set the CSP meta tag on Linux - #[cfg(target_os = "linux")] - if let Some(response_csp) = response.headers().get("Content-Security-Policy") { - let response_csp = String::from_utf8_lossy(response_csp.as_bytes()); - let html = String::from_utf8_lossy(response.body()); - let body = html.replacen(tauri_utils::html::CSP_TOKEN, &response_csp, 1); - *response.body_mut() = body.as_bytes().to_vec().into(); - } Ok(response) }