Fix remote Node.js Resources (#218)

Fixes possible loading of remote node.js resources. Adds an appropriate content-security-policy.
microsoft · May 25, 2019 · 9141e8c · 9141e8c
1 parent fe41ced
commit 9141e8c
Show file tree

Hide file tree

Showing 2 changed files with 5 additions and 2 deletions.
diff --git a/Gui/Startup.cs b/Gui/Startup.cs
@@ -75,7 +75,9 @@ public void Configure(IApplicationBuilder app, IHostingEnvironment env)
 #else
             browserWindowOptions.AutoHideMenuBar = true;
 #endif
-
+            browserWindowOptions.WebPreferences = new WebPreferences();
+            browserWindowOptions.WebPreferences.NodeIntegration = false;
+            browserWindowOptions.WebPreferences.ContextIsolation = true;
             Task.Run(async () =>
             {
                 await Electron.WindowManager.CreateWindowAsync(browserWindowOptions);

diff --git a/Gui/Views/Shared/_Layout.cshtml b/Gui/Views/Shared/_Layout.cshtml
@@ -8,6 +8,7 @@
 <head>
     <meta charset="utf-8" />
     <meta name="viewport" content="width=device-width, initial-scale=1.0" />
+    <meta http-equiv="Content-Security-Policy" content="script-src 'self'">
     <title>Attack Surface Analyzer Preview</title>
     <link rel="stylesheet" href="https://stackpath.bootstrapcdn.com/bootstrap/4.3.1/css/bootstrap.min.css" integrity="sha384-ggOyR0iXCbMQv3Xipma34MD+dH/1fQ784/j6cY/iJTQUOhcWr7x9JvoRxT2MZw1T" crossorigin="anonymous">
     <link rel="stylesheet" href="~/css/site.css" asp-append-version="true" />
@@ -19,7 +20,7 @@
         }
     }
 
-@* Yep. This is included twice. Without including it twice electron does not work. *@
+    @* Yep. This is included twice. Without including it twice electron does not work. *@
     <script src="~/lib/jquery-3.4.0.min.js"></script>
     <script src="~/lib/jquery-3.4.0.min.js"></script>
     <script src="~/lib/fontawesome.js"></script>