[Bug]: CSP not working in development

[linonetwo]

Preflight Checklist

• I have read the Contributing Guidelines for this project.
• I agree to follow the Code of Conduct that this project adheres to.
• I have searched the issue tracker for a feature request that matches the one I want to file, without success.

Electron Version

14.0.1

What operating system are you using?

macOS

Operating System Version

11.5.2

What arch are you using?

x64

Last Known Working Electron version

No response

Expected Behavior

No warning or allow me to disable csp, otherwise I barely can't do any test in my dev environment.

Actual Behavior

Refused to connect to 'https://tiddlygit-desktop.authing.cn/oidc/.well-known/jwks.json' because it violates the following Content Security Policy directive: "default-src 'self' 'unsafe-inline' data:". Note that 'connect-src' was not explicitly set, so 'default-src' is used as a fallback.

While I already have this meta

Testcase Gist URL

No response

Additional Information

I already have webSecurity: false, but error is still shown. And adding correct meta tag cant stop it complaining about Note that 'connect-src' was not explicitly set,

[codebytere]

Thanks for reporting this and helping to make Electron better!

Because of time constraints, triaging code with third-party dependencies is usually not feasible for a small team like Electron's.

Would it be possible for you to make a standalone testcase with only the code necessary to reproduce the issue? For example, Electron Fiddle is a great tool for making small test cases and makes it easy to publish your test case to a gist that Electron maintainers can use.

Stand-alone test cases make fixing issues go more smoothly: it ensure everyone's looking at the same issue, it removes all unnecessary variables from the equation, and it can also provide the basis for automated regression tests.

I'm adding the blocked/need-repro label for this reason. After you make a test case, please link to it in a followup comment. This issue will be closed in 10 days if the above is not addressed.

[BlackHole1]

I think I understand what you're saying. What you're trying to say is:
Why did the Content-Security-Policy error still occur when webSecurity:false?

We need to make it clear that CORS and CSP are two things, they are completely different concepts

You can simply understand it as: electron's webSecurity is essentially a call to chromium's --disable-web-security

--disable-web-security is used to turn off CORS, not CSP, see: https://source.chromium.org/chromium/chromium/src/+/main:content/public/common/content_switches.cc;l=301-304;drc=2877a80e202a9a972ced84153f0f0e03f5ec799e

I checked and there is no good way to turn off CSP (at the code level)

In your example, there is an easy way to do this, just remove the <meta http-equiv="Content-Security-Policy" ...>

cc @codebytere @MarshallOfSound, do you have anything to add?

[linonetwo]

Many thanks! @BlackHole1
I was always trying to refine this <meta http-equiv="Content-Security-Policy" ...>, adding host to it or modify host in it, and just can't escape that 'connect-src' was not explicitly set, so 'default-src' is used as a fallback.

I will try just remove it this time.

[codebytere]

No, thanks @BlackHole1! that about sums up what I would have said :)

[linonetwo]

It is pretty weird that a page in development without any csp header, will lead to csp error:

Would you mind reopen this?

Refused to connect to '' because it violates the following Content Security Policy directive: "default-src 'self' 'unsafe-inline' data:". Note that 'connect-src' was not explicitly set, so 'default-src' is used as a fallback.

xhr.js?9eca:178 Refused to connect to 'https://tiddlygit-desktop.authing.cn/oidc/.well-known/jwks.json' because it violates the following Content Security Policy directive: "default-src 'self' 'unsafe-inline' data:". Note that 'connect-src' was not explicitly set, so 'default-src' is used as a fallback.

dispatchXhrRequest @ xhr.js?9eca:178
graphql-hooks.js?8d13:282 Refused to connect to 'https://api.github.com/graphql' because it violates the following Content Security Policy directive: "default-src 'self' 'unsafe-inline' data:". Note that 'connect-src' was not explicitly set, so 'default-src' is used as a fallback.

I hope there can be a way to allow me send request to api.github in development !

[linonetwo]

It even say CSP is not set while saying CSP is set.

[linonetwo]

Because: In production, website is loading using file:// protocol, and in development, it is using http:// protocol.

Solution: protocol.registerSchemesAsPrivileged

protocol.registerSchemesAsPrivileged([
  { scheme: 'http', privileges: { standard: true, bypassCSP: true, allowServiceWorkers: true, supportFetchAPI: true, corsEnabled: true, stream: true } },
  { scheme: 'https', privileges: { standard: true, bypassCSP: true, allowServiceWorkers: true, supportFetchAPI: true, corsEnabled: true, stream: true } },
  { scheme: 'mailto', privileges: { standard: true } },
]);