jsnbuchanan/crowd-funder-for-time-pwa
1
0
Fork 1
forked from trent_larson/crowd-funder-for-time-pwa
Code Issues Pull Requests Projects Releases Wiki Activity

fix: add Content Security Policy for Electron API connections

Browse Source 
- Add CSP headers to allow connections to endorser.ch and timesafari.app APIs
- Configure secure content policies for images, scripts, styles and fonts
- Fix API connection errors by allowing required external resources
- Remove duplicate CSP header configuration
This commit is contained in:
Matthew Raymer
2025-02-13 06:56:35 +00:00
parent de017d1a71
commit 9a966ef04d
1 changed files with 16 additions and 17 deletions
Download Patch File Download Diff File Expand all files Collapse all files

25
src/electron/main.js
View File

@@ -83,23 +83,22 @@ function createWindow() {
throw new Error("Index file not found"); throw new Error("Index file not found");
} }
// Set CSP headers // Add CSP headers to allow API connections
mainWindow.webContents.session.webRequest.onHeadersReceived( mainWindow.webContents.session.webRequest.onHeadersReceived((details, callback) => {
(details, callback) => {
callback({ callback({
responseHeaders: { responseHeaders: {
...details.responseHeaders, ...details.responseHeaders,
"Content-Security-Policy": [ 'Content-Security-Policy': [
"default-src 'self';" + "default-src 'self';" +
"style-src 'self' 'unsafe-inline' https://fonts.googleapis.com;" + "connect-src 'self' https://api.endorser.ch https://*.timesafari.app;" +
"font-src 'self' https://fonts.gstatic.com;" + "img-src 'self' data: https: blob:;" +
"script-src 'self' 'unsafe-eval' 'unsafe-inline';" + "script-src 'self' 'unsafe-inline' 'unsafe-eval';" +
"img-src 'self' data: https:;", "style-src 'self' 'unsafe-inline';" +
], "font-src 'self' data:;"
}, ]
}); }
}, })
); })
// Load the index.html // Load the index.html
mainWindow mainWindow