Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Define CSP HTTP Header in Electron App

Following the API documentation, I don't understand how to define a Content-Security-Policy HTTP Header for the renderer of my Electron application. I always get a warning in the DevTools.

I tried:

1) Copy/Paste the code in the API Doc, blindly:

app.on('ready', () => {     const {session} = require('electron')     session.defaultSession.webRequest.onHeadersReceived((details, callback) => {         callback({responseHeaders: `default-src 'self'`})     })      win = new BrowserWindow(...)     win.loadUrl(...) } 

(By the way, I don't get why "Content-Security-Policy:" is missing in the string. But adding it don't change anything)

2) Modifying the session of the renderer with the same code:

win = new BrowserWindow(...) win.loadUrl(...)  const ses = win.webContents.session; ses.webRequest.onHeadersReceived((details, callback) => {   callback({responseHeaders: `default-src 'self'`}) }) 

3) Add an extra header to ther renderer:

win = new BrowserWindow(...) win.loadURL(`file://${__dirname}/renderer.html`,{     extraHeaders: `Content-Security-Policy: default-src 'self'` }); 

...

The only thing that works is using a meta tag in the renderer HTML file:

<meta http-equiv="Content-Security-Policy" content="default-src 'self'> 
like image 737
Anozer Avatar asked Aug 22 '18 14:08

Anozer


People also ask

What is a CSP header?

The Content-Security-Policy header allows you to restrict how resources such as JavaScript, CSS, or pretty much anything that the browser loads. Although it is primarily used as a HTTP response header, you can also apply it via a meta tag. The term Content Security Policy is often abbreviated as CSP .

How do you define CSP?

A communications service providers (CSP) offers telecommunications services or some combination of information and media services, content, entertainment and application services over networks, leveraging the network infrastructure as a rich, functional platform.

Where do I put CSP in HTML?

To add this custom meta tag, you can go to www.yourStore.com/Admin/Setting/GeneralCommon and find Custom <head> tag and add this as shown in the image below. Content Security Policy protects against Cross Site Scripting (XSS) and other forms of attacks such as ClickJacking.


1 Answers

Not sure why the documentation contains this broken code. It confused the hell out of me but I found a working solution by trial and error:

session.defaultSession.webRequest.onHeadersReceived((details, callback) => {     callback({ responseHeaders: Object.assign({         "Content-Security-Policy": [ "default-src 'self'" ]     }, details.responseHeaders)}); }); 

So the headers argument must be an object with the same structure as the original headers received in details.responseHeaders. And the original headers must be included in the passed object as well because this object seems to completely replace the original response headers.

The extraHeaders option isn't for response headers. It is for request headers sent to the server.

like image 173
kayahr Avatar answered Sep 26 '22 09:09

kayahr