Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

docs: Add a CSP meta tag to make the tutorial compiant with the security checklist #19819

Merged
merged 1 commit into from Aug 29, 2019
Merged

docs: Add a CSP meta tag to make the tutorial compiant with the security checklist #19819

merged 1 commit into from Aug 29, 2019

Conversation

TomasHubelbauer
Copy link
Contributor

@TomasHubelbauer TomasHubelbauer commented Aug 19, 2019
edited by zcbenz

I've asked #19775 because I was frustrated with how hard it was to find a way to fix (instead of hide) the CSP warning in Electron and I complained that even the official quick start guide wasn't compliant with the security checklist at https://electronjs.org/docs/tutorial/security. Someone helped me out with a CSP meta tag which I have later noticed is indeed mentioned in the checklist, too: https://electronjs.org/docs/tutorial/security#csp-meta-tag. I have not used the checklist one verbatim because it prevents a script tag from working when serving index.html through the file: protocol as the quick start does. I instead used the one the person in my issue recommended which seems to work well to me. I am not that well versed in CSP so there might be a better policy to include with the quick start, but this is what I've got for now.

notes: no-notes

@TomasHubelbauer
Add a CSP meta tag to make the tutorial compiant with the security ch…
1a6c050 
…ecklist

I've asked #19775 because I was frustrated with how hard it was to find a way to fix (instead of hide) the CSP warning in Electron and I complained that even the official quick start guide wasn't compliant with the security checklist at https://electronjs.org/docs/tutorial/security. Someone helped me out with a CSP meta tag which I have later noticed is indeed mentioned in the checklist, too: https://electronjs.org/docs/tutorial/security#csp-meta-tag. I have not used the checklist one verbatim because it prevents a `script` tag from working when serving `index.html` through the `file:` protocol as the quick start does. I instead used the one the person in my issue recommended which seems to work well to me. I am not that well versed in CSP so there might be a better policy to include with the quick start, but this is what I've got for now.
@welcome
Copy link

welcome bot commented Aug 19, 2019

💖 Thanks for opening this pull request! 💖

We use semantic commit messages to streamline the release process. Before your pull request can be merged, you should update your pull request title to start with a semantic prefix.

Examples of commit messages with semantic prefixes:

  • fix: don't overwrite prevent_default if default wasn't prevented
  • feat: add app.isPackaged() method
  • docs: app.isDefaultProtocolClient is now available on Linux

Things that will help get your PR across the finish line:

  • Follow the JavaScript, C++, and Python coding style.
  • Run npm run lint locally to catch formatting errors earlier.
  • Document any user-facing changes you've made following the documentation styleguide.
  • Include tests when adding/changing behavior.
  • Include screenshots and animated GIFs whenever possible.

We get a lot of pull requests on this repo, so please be patient and we will get back to you as soon as we can.

@electron-cation electron-cation bot added the new-pr 🌱 PR opened in the last 24 hours label Aug 19, 2019
@TomasHubelbauer TomasHubelbauer changed the title Add a CSP meta tag to make the tutorial compiant with the security ch… Add a CSP meta tag to make the tutorial compiant with the security checklist Aug 19, 2019
@TomasHubelbauer TomasHubelbauer changed the title Add a CSP meta tag to make the tutorial compiant with the security checklist docs: Add a CSP meta tag to make the tutorial compiant with the security checklist Aug 19, 2019
@electron-cation electron-cation bot removed the new-pr 🌱 PR opened in the last 24 hours label Aug 20, 2019
zcbenz
zcbenz approved these changes Aug 23, 2019
View reviewed changes
Copy link
Member

@zcbenz zcbenz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Personally I think this is very helping, would love more comments before merging.

@zcbenz zcbenz merged commit 35ebbb5 into electron:master Aug 29, 2019
@welcome
Copy link

welcome bot commented Aug 29, 2019

Congrats on merging your first pull request! 🎉🎉🎉

@release-clerk
Copy link

release-clerk bot commented Aug 29, 2019

No Release Notes

@betosimo
Copy link

this do not help me, I tried EVERY possible combination and still receiving this error: because it violates the following Content Security Policy directive: "default-src capacitor-electron://* 'unsafe-inline' data:". Note that 'script-src-elem' was not explicitly set, so 'default-src' is used as a fallback

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@zcbenz zcbenz zcbenz approved these changes

@felixrieseberg felixrieseberg Awaiting requested review from felixrieseberg

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@TomasHubelbauer @betosimo @zcbenz