Open ruoxiaomo opened 8 months ago
Will Web Workers meet your needs?
Will Web Workers meet your needs?
No, web worker can't solve my problem.
What I want is that iframe js code cannot use Tauri API
.
I also used dangerousRemoteDomainIpcAccess
, but it didn't work. 😢
"dangerousRemoteDomainIpcAccess": [
{
"scheme": "tauri",
"domain": "localhost",
"windows": [
"main"
],
"plugins": [],
"enableTauriAPI": false
}
]
I think what you're looking for is the isolation pattern https://tauri.app/v1/references/architecture/inter-process-communication/isolation
I've got a similar request for the ability to load an iframe which will use HTML in the same style as the isolation pattern. I'm not sure how to load this without opening a window though. Can I refer to the bundled html with a particular scheme?
Closing this since the isolation pattern should be used to prevent this.
afaik the security team is still looking into this so i'm reopening it for now
Describe the bug
I am currently using Tauri to build a plugin platform. These plugins, developed using Vue, React, etc., plugin's run within
<iframe>
elements in the main window. loaded throughHTTP
orcustom protocol
, for example,http://localhost:5174/index.html
orcustom_protocol://localhost/index.html
Currently, there are significant security concerns because when these plugins install@tauri-apps/api
, they can freely invoke Tauri's API functions, for example,appWindow.hide()
And they can even usewindow.__TAURI_POST_MESSAGE__
to call my Rust API.Is there a way to prevent
<iframe>
from accessingTauri's API
andwindow.__TAURI_POST_MESSAGE__
? or can we intercept the request?I understand that this may not be considered a bug, but addressing this security concern is crucial for my project.
If providing code snippets would be helpful, please let me know🙏.
Reproduction
No response
Expected behavior
No response
Platform and versions
Stack trace
No response
Additional context
No response