Menu
Following the API documentation, I don't understand how to define a Content-Security-Policy HTTP Header for the renderer of my Electron application. I always get a warning in the DevTools.
I tried:
1) Copy/Paste the code in the API Doc, blindly:
app.on('ready', () => { const {session} = require('electron') session.defaultSession.webRequest.onHeadersReceived((details, callback) => { callback({responseHeaders: `default-src 'self'`}) }) win = new BrowserWindow(...) win.loadUrl(...) } (By the way, I don't get why "Content-Security-Policy:" is missing in the string. But adding it don't change anything)
2) Modifying the session of the renderer with the same code:
win = new BrowserWindow(...) win.loadUrl(...) const ses = win.webContents.session; ses.webRequest.onHeadersReceived((details, callback) => { callback({responseHeaders: `default-src 'self'`}) }) 3) Add an extra header to ther renderer:
win = new BrowserWindow(...) win.loadURL(`file://${__dirname}/renderer.html`,{ extraHeaders: `Content-Security-Policy: default-src 'self'` }); ...
The only thing that works is using a meta tag in the renderer HTML file:
<meta http-equiv="Content-Security-Policy" content="default-src 'self'> 
737
The Content-Security-Policy header allows you to restrict how resources such as JavaScript, CSS, or pretty much anything that the browser loads. Although it is primarily used as a HTTP response header, you can also apply it via a meta tag. The term Content Security Policy is often abbreviated as CSP .
A communications service providers (CSP) offers telecommunications services or some combination of information and media services, content, entertainment and application services over networks, leveraging the network infrastructure as a rich, functional platform.
To add this custom meta tag, you can go to www.yourStore.com/Admin/Setting/GeneralCommon and find Custom <head> tag and add this as shown in the image below. Content Security Policy protects against Cross Site Scripting (XSS) and other forms of attacks such as ClickJacking.
Not sure why the documentation contains this broken code. It confused the hell out of me but I found a working solution by trial and error:
session.defaultSession.webRequest.onHeadersReceived((details, callback) => { callback({ responseHeaders: Object.assign({ "Content-Security-Policy": [ "default-src 'self'" ] }, details.responseHeaders)}); }); So the headers argument must be an object with the same structure as the original headers received in details.responseHeaders. And the original headers must be included in the passed object as well because this object seems to completely replace the original response headers.
The extraHeaders option isn't for response headers. It is for request headers sent to the server.
173
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
