Skip to content

Commit

Permalink
feat(core): expose invoke key for custom IPC implementations (#11235)
Browse files Browse the repository at this point in the history
custom IPC systems that manually call Webview::on_message must know the invoke key checked by Tauri. This exposes that key in the App/AppHandle instances.

This is safe because the key is never leaked to remote denied webview URLs
  • Loading branch information
lucasfernog authored Oct 6, 2024
1 parent e2a4da0 commit 03e7590
Show file tree
Hide file tree
Showing 2 changed files with 14 additions and 0 deletions.
5 changes: 5 additions & 0 deletions .changes/expose-invoke-key.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
---
"tauri": patch:enhance
---

Added `App::invoke_key` and `AppHandle::invoke_key` for custom invoke systems that rely on manual `Webview::on_message` calls.
9 changes: 9 additions & 0 deletions crates/tauri/src/app.rs
Original file line number Diff line number Diff line change
Expand Up @@ -878,6 +878,15 @@ macro_rules! shared_app_impl {
webview.resources_table().clear();
}
}

/// Gets the invoke key that must be referenced when using [`crate::webview::InvokeRequest`].
///
/// # Security
///
/// DO NOT expose this key to third party scripts as might grant access to the backend from external URLs and iframes.
pub fn invoke_key(&self) -> &str {
self.manager.invoke_key()
}
}

impl<R: Runtime> Listener<R> for $app {
Expand Down

0 comments on commit 03e7590

Please sign in to comment.