Open ohmree opened 3 years ago
I've managed to reproduce this issue in a minimal example:
web_view::builder()
.title("Minimal webview example")
// .content(Content::Html(std::str::from_utf8(index_content.as_ref())?))
.content(Content::Html(r#"<html><head></head><body><script>console.log(window.localStorage)</script></body></html>"#))
.size(800, 600)
.resizable(true)
.user_data(())
.invoke_handler(|_webview, _arg| Ok(()))
.run()?;
And since now the console doesn't crash anymore, I can look at the value of window.location.href
:
"data:text/html,%3Chtml%3E%3Chead%3E%3C%2Fhead%3E%3Cbody%3E%3Cscript%3Econsole.log%28window.localStorage%29%3C%2Fscript%3E%3C%2Fbody%3E%3C%2Fhtml%3E"
Which I suspect is indeed the reason this is happening.
EDIT: here's some more info about this, which was surprisingly hard to find.
EDIT #2: I think the best option is for me to implement some sort of wrapper that can use either seed's localStorage
api or something custom-made that's exposed to the browser (and to wasm_bindgen
) using web-view's api.
I don't know how much work it'll be though, I might have a go at implementing it sometime soon.
I'm building a single-page app using seed and rollup, and a native wrapper using inline-assets, rust-embed and web-view (all glued together using npm and rust build scripts).
When I serve my single html file or load it locally (as a
file://
url) in epiphany, firefox or chromium it works just fine, but when I embed it into the native wrapper and load the entire html contents usingWebViewBuilder::content
it complains about the operation being insecure (the exact error is in the issue title).I assume this is due to how web-view loads the entire file as a
data:
url, and have tried various csp configurations to fix this (using my personal fork of the rollup html plugin that adds file hash csp directives along with any other csp directives it's configured to add, without the file hash directives i'd have to enableunsafe-inline
for scripts).I've tried allowing
unsafe-inline
fordefault-src
andscript-src
and allowingdata:
fordefault-src
but nothing worked, it always crashes with an extremely long message (as long as my index.html) that makes debugging impossible because the console chokes on such a giant error and freezes (when I redirect the error message to a file it takes up about 10 mb of space).Here's how the error looks, not too helpful:
Is there any way to bypass this using csp?
Thanks in advance.