#CSP issues on external site

4 messages · Page 1 of 1 (latest)

tardy tendon Dec 25, 2023, 5:55 AM

Hi! I'm using Tauri v2 and have a WebView with an external URL. This worked fine with injecting scripts and calling to rust when I was previously on v1, but I recently switched to a fork of the feat/multiwebview branch to allow a separate titlebar/content WebView. This worked perfectly, except now I'm getting CSP errors like the following when using any window.__TAURI__ API:

Refused to connect to 'http://ipc.localhost/plugin%3Aevent%7Cemit' because it violates the document's Content Security Policy.

I doubt this is a result of me using the multi WebView features -- it makes sense that the CSP would prevent fetching these scripts, but something must have changed in v2.
My question is weather there's any way for me to fix this; I'm already using a fork, so I don't mind making tweaks to Tauri itself for now; I just want something that works. Could I either:

Disable CSP altogether; this isn't a good solution on the security side of things, but if it's the only solution, it's okay to me.
Modify the CSP of every response to allow ipc.localhost; this sounds difficult, and wouldn't work by default using on_web_resource_request since it only handles tauri:// requests. Maybe I could change that? I recall reading that it's impossible to intercept and change http or https requests on MacOS, but I can't find where I saw that.
Somehow change how this communication is done to not require web requests; this sounds unfeasible.
I would need it to work on Windows and MacOS. I'm sorry if I'm overlooking something. Thank you!

half trail Dec 28, 2023, 11:52 AM

Disable CSP altogether; this isn't a good solution on the security side of things, but if it's the only solution, it's okay to me.
Likely can't even do that (on macos&linux)
I recall reading that it's impossible to intercept and change http or https requests on MacOS, but I can't find where I saw that.
This one? https://github.com/tauri-apps/tauri/discussions/4912#discussioncomment-3406282 (i know it's mostly about requests) - i do think i wrote something similar that was more clear about responses and macos/linux but either way you're right, we can't modify headers.
Somehow change how this communication is done to not require web requests; this sounds unfeasible.
Depends on the size of your payloads. This is how the ipc used to work in v1 so it may still be feasible

aaaand for visibility the github issue you opened: https://github.com/tauri-apps/tauri/issues/8476

tardy tendon Dec 28, 2023, 4:15 PM

That makes sense; thanks for clarifying. Apologies if I wasn't supposed to open an issue and support question, but I figured it would be good to put it in the issue tracker. For now, I modified Tauri to use ipc.postMessage instead of fetch requests, but it would be great to have something like this built in. I understand that's a large change, though, and it wouldn't benefit many people. Maybe a good in-between is documentation on WebviewUrl::External stating that we can't/don't modify the site's content security policy, so Tauri APIs will be broken?