From 9a966ef04d60d4bea26621eea8cfddee520cc307 Mon Sep 17 00:00:00 2001 From: Matthew Raymer Date: Thu, 13 Feb 2025 06:56:35 +0000 Subject: [PATCH] fix: add Content Security Policy for Electron API connections - Add CSP headers to allow connections to endorser.ch and timesafari.app APIs - Configure secure content policies for images, scripts, styles and fonts - Fix API connection errors by allowing required external resources - Remove duplicate CSP header configuration --- src/electron/main.js | 33 ++++++++++++++++----------------- 1 file changed, 16 insertions(+), 17 deletions(-) diff --git a/src/electron/main.js b/src/electron/main.js index 8ac60811..259f8341 100644 --- a/src/electron/main.js +++ b/src/electron/main.js @@ -83,23 +83,22 @@ function createWindow() { throw new Error("Index file not found"); } - // Set CSP headers - mainWindow.webContents.session.webRequest.onHeadersReceived( - (details, callback) => { - callback({ - responseHeaders: { - ...details.responseHeaders, - "Content-Security-Policy": [ - "default-src 'self';" + - "style-src 'self' 'unsafe-inline' https://fonts.googleapis.com;" + - "font-src 'self' https://fonts.gstatic.com;" + - "script-src 'self' 'unsafe-eval' 'unsafe-inline';" + - "img-src 'self' data: https:;", - ], - }, - }); - }, - ); + // Add CSP headers to allow API connections + mainWindow.webContents.session.webRequest.onHeadersReceived((details, callback) => { + callback({ + responseHeaders: { + ...details.responseHeaders, + 'Content-Security-Policy': [ + "default-src 'self';" + + "connect-src 'self' https://api.endorser.ch https://*.timesafari.app;" + + "img-src 'self' data: https: blob:;" + + "script-src 'self' 'unsafe-inline' 'unsafe-eval';" + + "style-src 'self' 'unsafe-inline';" + + "font-src 'self' data:;" + ] + } + }) + }) // Load the index.html mainWindow