fix: add Content Security Policy for Electron API connections

- Add CSP headers to allow connections to endorser.ch and timesafari.app APIs - Configure secure content policies for images, scripts, styles and fonts - Fix API connection errors by allowing required external resources - Remove duplicate CSP header configuration
1 week ago · 9a966ef04d
1 changed files with 16 additions and 17 deletions
--- a/src/electron/main.js
+++ b/src/electron/main.js
@ -83,23 +83,22 @@ function createWindow() {
    throw new Error("Index file not found");
  }

-  // Set CSP headers
-  mainWindow.webContents.session.webRequest.onHeadersReceived(
-    (details, callback) => {
-      callback({
-        responseHeaders: {
-          ...details.responseHeaders,
-          "Content-Security-Policy": [
-            "default-src 'self';" +
-              "style-src 'self' 'unsafe-inline' https://fonts.googleapis.com;" +
-              "font-src 'self' https://fonts.gstatic.com;" +
-              "script-src 'self' 'unsafe-eval' 'unsafe-inline';" +
-              "img-src 'self' data: https:;",
-          ],
-        },
-      });
-    },
-  );
+  // Add CSP headers to allow API connections
+  mainWindow.webContents.session.webRequest.onHeadersReceived((details, callback) => {
+    callback({
+      responseHeaders: {
+        ...details.responseHeaders,
+        'Content-Security-Policy': [
+          "default-src 'self';" +
+          "connect-src 'self' https://api.endorser.ch https://*.timesafari.app;" +
+          "img-src 'self' data: https: blob:;" +
+          "script-src 'self' 'unsafe-inline' 'unsafe-eval';" +
+          "style-src 'self' 'unsafe-inline';" +
+          "font-src 'self' data:;"
+        ]
+      }
+    })
+  })

  // Load the index.html
  mainWindow