search

capacitor-community / electron

Deploy your Capacitor apps to Linux, Mac, and Windows desktops, with the Electron platform! 🖥️
https://capacitor-community.github.io/electron/
MIT License
318 stars 58 forks source link

How to add media-src directive to the CSP #206

Closed jepiqueau closed 1 year ago

jepiqueau commented 1 year ago

Describe the bug I could not find the way in the documentation to add a media-src directive to the content security policy it is not a bug but a lack of documentation

Can we use the customUrlScheme in the ElectronConfig? and if yes how to define the string with the urls of the video Do we have to change the setupContentSecurityPolicy method in the setup.ts file to define a media-src ? if yes how

Thanks

To Reproduce Steps to reproduce the behavior:

  1. Go to '...'
  2. Click on '....'
  3. Scroll down to '....'
  4. See error

Expected behavior A clear and concise description of what you expected to happen.

Screenshots If applicable, add screenshots to help explain your problem.

Desktop (please complete the following information):

Smartphone (please complete the following information):

Additional context Add any other context about the problem here.

JuliusSkrisa commented 1 year ago

@jepiqueau if you are using latest version there is a 'setupContentSecurityPolicy' function in setup.ts file (electron folder). where you can edit CSP string.

jepiqueau commented 1 year ago

@JuliusSkrisa thanks for your answer but hiw do i have to edit it let says for example for https:://example.com/example.mp4

JuliusSkrisa commented 1 year ago

you should be able to find your answer here https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP but example 2 in the link I think would work.

jepiqueau commented 1 year ago

@JuliusSkrisa You know if i am asking this is because i google and try without success to update the setup.ts file

        'Content-Security-Policy': [
          electronIsDev
            ? `default-src ${customScheme}://* media-src://* 'unsafe-inline' devtools://* 'unsafe-eval' data:`
            : `default-src ${customScheme}://* 'unsafe-inline' data:`,
        ],

and i got 

Refused to load media from 'https://brenopolanski.github.io/html5-video-webvtt-example/MIB2.mp4' because it violates the following Content Security Policy directive: "default-src capacitor-electron://* media-src://* 'unsafe-inline' devtools://* 'unsafe-eval' data:". Note that 'media-src' was not explicitly set, so 'default-src' is used as a fallback.

So i need someone to give me the right syntax

jepiqueau commented 1 year ago

@JuliusSkrisa if finally got it

        'Content-Security-Policy': [
          electronIsDev
            ? `default-src ${customScheme}://* 'unsafe-inline' devtools://* 'unsafe-eval' data:; media-src ${customScheme}: https://*`
            : `default-src ${customScheme}://* 'unsafe-inline' data:`,
        ],