search

capacitor-community / electron

Deploy your Capacitor apps to Linux, Mac, and Windows desktops, with the Electron platform! 🖥️
https://capacitor-community.github.io/electron/
MIT License
335 stars 59 forks source link

Content Security Policy directive error #149

Closed laclance closed 2 years ago

laclance commented 2 years ago

I have tried a bunch of security policies to connect to our api but always get refused, only on v4.

Refused to connect to 'https://myapi...' because it violates the following Content Security Policy directive: "connect-src 'self' https://myapi.../* 'unsafe-inline' 'unsafe-eval'".

export function setupContentSecurityPolicy(customScheme: string): void {
  session.defaultSession.webRequest.onHeadersReceived((details, callback) => {
    callback({
      responseHeaders: {
        ...details.responseHeaders,
        'Content-Security-Policy': [
          electronIsDev
            ? `default-src ${customScheme}://* https://myapi.../* 'unsafe-inline' devtools://* https://myapi.../* 'unsafe-eval' data: https://myapi.../*; script-src 'self' https://myapi.../* 'unsafe-inline' 'unsafe-eval'; connect-src 'self' https://myapi.../* 'unsafe-inline' 'unsafe-eval';`
            : `default-src ${customScheme}://* 'unsafe-inline' data:`
        ]
      }
    });
  });
}

v4.0.3 Chrome 94 Windows 10 React 17

schwenkreis commented 2 years ago

Just try https://myapi.../ (no * after the final slash)

laclance commented 2 years ago

thanks, ya it seems * is only a prefix not a suffix.

laclance commented 2 years ago

is there a way to dynamically edit the policy? I will open up a new issue. https://github.com/capacitor-community/electron/issues/150