Skip to content

asaschachar/electron-csp-test

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

4 Commits

screenshots

screenshots

 
 

.gitignore

.gitignore

 
 

README.md

README.md

 
 

index.html

index.html

 
 

main.js

main.js

 
 

package.json

package.json

 
 

preload_csp_https_scheme.js

preload_csp_https_scheme.js

 
 

preload_csp_url_scheme.js

preload_csp_url_scheme.js

 
 

renderer.js

renderer.js

 
 

script.js

script.js

 
 

Repository files navigation

electron-csp-test

Clone and run for an example of Electron Issue 6465

This is a minimal Electron application used to reproduce the issue where you can only register certain protocol schemes (i.e. https, file) as bypassing a page's CSP policy with webFrame.registerURLSchemeAsBypassingCSP(scheme) instead of being able to use a finer control over bypassing a page's CSP policy with things like CSP Source Lists like http://*.example.com

Explanation of the application:

  • The main browser window loads two webviews. Both webviews load https://github.com.
  • Both webviews try to load a remote script from https://hosted-script.herokuapp.com/alert.js
  • One webview registers the scheme https as bypassing CSP, which works as can be seen by the console log in the developer tools of the webview:

Alt text

  • The other webview registers the scheme https://\*.herokuapp.com, which fails because the script is blocked by github's CSP scheme as can be seen by the console log in the developer tools of the webview:

Alt text

About

Minimal reproducible example testing electron's 'registerURLSchemeAsBypassingCSP'

Resources

Readme
Activity

Stars

3 stars

Watchers

2 watching

Forks

1 fork
Report repository

Releases

No releases published

Packages

No packages published

Languages