New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We鈥檒l occasionally send you account related emails.
Already on GitHub? Sign in to your account
doc: add CSP examples #13167
doc: add CSP examples #13167
Conversation
Would love to get input on a sensible default policy. @sindresorhus does your example in #12909 represent what you think are good defaults? |
docs/tutorial/security.md
Outdated
session.defaultSession.webRequest.onHeadersReceived((details, callback) => { | ||
callback({responseHeaders: `default-src 'self'`}) | ||
}) | ||
``` |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think you should point out that the best would be to start with default-src 'none';
and then allow what's needed. It's always better to include than exclude. Most will probably then end up with:
default-src 'none';
script-src 'self';
img-src 'self' data:;
style-src 'self';
font-src 'self';
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That's a solid point, I agree with that.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Updated to default-src 'none'
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We can bikeshed which CSP we actually recommend a bit, but showing any kind of example is already helpful.
const {session} = require('electron') | ||
|
||
session.defaultSession.webRequest.onHeadersReceived((details, callback) => { | ||
callback({responseHeaders: `default-src 'none'`}) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This example is not correct. responseHeaders
should be an object.
It also needs to be called on app.on('ready')
, so for copy-pastable reasons, I think that should be included in the example too.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
// @zeke @felixrieseberg @MarshallOfSound 猬嗭笍
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
馃憤
I think you should also include these by in the example as they're not covered by
I would also link to https://developers.google.com/web/fundamentals/security/csp/ which is another good resource on this topic. |
I don't find the current examples sufficient. For example, I have no idea where the "session.defaultSession.webRequest.onHeadersReceived" magic incantation is supposed to go. The "Writing Your First Electron App" page also does not even mention this issue despite the fact such an app will display a warning about CSP. Finally, since I haven't used CSP in any form at all before, let alone with Electron, it'd be nice to have a guide for what policies to set. |
Is |
Can we possibly improve this example further? I and others have spent a lot of time trying to figure out how to get this working. None of the answers to this question on StackExchange seem to work for anyone but the submitter. https://stackoverflow.com/questions/51969512/define-csp-http-header-in-electron-app I'm using a crazy preload script that injects the CSP currently. I've revisited this several times and never gotten the CSP to work via the header method. I've tried inside and outside |
As @justinmeiners said, it seems that
|
adding my voice to those asking for clearer docs and examples. the only thing i've been able to get working is this 馃憠 https://stackoverflow.com/a/52243138/579167 more problematically, while this approach appears to work as expected when i'm running in development (where my i've tried:
of those the any help here would be very much appreciated 馃檹 |
@busticated The |
@MarshallOfSound thanks for this answer. So there is no way to set CSP in the main process if renderers are local files packaged in the application. Do you know why |
@MarshallOfSound Thank you for this explanation. Since most Electron apps use local resources (file: protocol) shouldn't meta tag be the recommended way of doing CSP? At the very least can we update the documentation to explain when to use "meta" tag instead of discouraging it? |
thanks @MarshallOfSound 馃憤 it seems like that pattern - using i realize this is somewhat off-topic but what's the guidance there? do most professional (馃檮) apps use at the least, probably worth flagging in the docs along with calling out that the CSP headers should only be set for |
@MarshallOfSound I've submitted a |
This PR adds some examples of how to configure a Content Security Policy, using either an HTTP header or a
<meta>
tag.馃崘 @liliakai