search

tauri-apps / tauri

Build smaller, faster, and more secure desktop applications with a web frontend.
https://tauri.app
Apache License 2.0
80.19k stars 2.38k forks source link

[bug] How to prohibit <iframe> use @tauri-apps/api? #8316

Open ruoxiaomo opened 8 months ago

ruoxiaomo commented 8 months ago

Describe the bug

I am currently using Tauri to build a plugin platform. These plugins, developed using Vue, React, etc., plugin's run within <iframe> elements in the main window. loaded through HTTP or custom protocol, for example, http://localhost:5174/index.html or custom_protocol://localhost/index.html Currently, there are significant security concerns because when these plugins install @tauri-apps/api, they can freely invoke Tauri's API functions, for example, appWindow.hide() And they can even use window.__TAURI_POST_MESSAGE__ to call my Rust API.

Is there a way to prevent <iframe> from accessing Tauri's API and window.__TAURI_POST_MESSAGE__? or can we intercept the request?

I understand that this may not be considered a bug, but addressing this security concern is crucial for my project.

If providing code snippets would be helpful, please let me know🙏.

Reproduction

No response

Expected behavior

No response

Platform and versions

* macOS, Windows

[✔] Environment
    - OS: Mac OS 12.3.1 X64
    ✔ Xcode Command Line Tools: installed
    ✔ rustc: 1.68.2 (9eb3afe9e 2023-03-27)
    ✔ cargo: 1.68.2 (6feb7c9cf 2023-03-26)
    ✔ rustup: 1.25.2 (fae52a197 2023-02-01)
    ✔ Rust toolchain: stable-x86_64-apple-darwin (default)
    - node: 14.18.0
    - yarn: 1.22.19
    - npm: 6.14.15

[-] Packages
    - tauri [RUST]: 1.5.2
    - tauri-build [RUST]: 1.5.0
    - wry [RUST]: 0.24.6
    - tao [RUST]: 0.16.2
    - cargo-tauri [RUST]: 1.0.0
    - @tauri-apps/api [NPM]: 1.5.1
    - @tauri-apps/cli [NPM]: 1.5.6

[-] App
    - build-type: bundle
    - CSP: default-src 'self'; connect-src *; frame-src *; img-src 'self' asset: *; script-src 'self' asset: https://asset.localhost; style-src 'unsafe-inline'  asset: *; media-src *;
    - distDir: ../dist
    - devPath: http://localhost:5173/
    - framework: Vue.js
    - bundler: Vite

Stack trace

No response

Additional context

No response

cijiugechu commented 8 months ago

Will Web Workers meet your needs?

ruoxiaomo commented 7 months ago

Will Web Workers meet your needs?

No, web worker can't solve my problem. What I want is that iframe js code cannot use Tauri API.

ruoxiaomo commented 7 months ago

I also used dangerousRemoteDomainIpcAccess, but it didn't work. 😢

"dangerousRemoteDomainIpcAccess": [
    {
        "scheme": "tauri",
        "domain": "localhost",
        "windows": [
            "main"
        ],
        "plugins": [],
        "enableTauriAPI": false
    }
]
amrbashir commented 7 months ago

I think what you're looking for is the isolation pattern https://tauri.app/v1/references/architecture/inter-process-communication/isolation

rgbkrk commented 6 months ago

I've got a similar request for the ability to load an iframe which will use HTML in the same style as the isolation pattern. I'm not sure how to load this without opening a window though. Can I refer to the bundled html with a particular scheme?

amrbashir commented 3 months ago

Closing this since the isolation pattern should be used to prevent this.

FabianLars commented 3 months ago

afaik the security team is still looking into this so i'm reopening it for now