chore(linux): remove CSP tag on custom protocol response (#8984)

lucasfernog · web-flow · commit bc5b5e671a54 · 2024-02-26T13:08:19.000-03:00
diff --git a/.changes/csp-header-linux.md b/.changes/csp-header-linux.md
@@ -0,0 +1,7 @@
+---
+"tauri": patch:enhance
+"tauri-utils": patch:enhance
+"tauri-codegen": patch:enhance
+---
+
+Do not include a CSP tag in the application HTML and rely on the custom protocol response header instead.
diff --git a/core/tauri-codegen/src/context.rs b/core/tauri-codegen/src/context.rs
@@ -40,7 +40,6 @@ pub struct ContextData {
 
 fn map_core_assets(
   options: &AssetOptions,
-  target: Target,
 ) -> impl Fn(&AssetKey, &Path, &mut Vec<u8>, &mut CspHashes) -> Result<(), EmbeddedAssetsError> {
   #[cfg(feature = "isolation")]
   let pattern = tauri_utils::html::PatternObject::from(&options.pattern);
@@ -53,10 +52,6 @@ fn map_core_assets(
       if csp {
         let document = parse_html(String::from_utf8_lossy(input).into_owned());
 
-        if target == Target::Linux {
-          ::tauri_utils::html::inject_csp_token(&document);
-        }
-
         inject_nonce_token(&document, &dangerous_disable_asset_csp_modification);
 
         if dangerous_disable_asset_csp_modification.can_modify("script-src") {
@@ -176,15 +171,15 @@ pub fn context_codegen(data: ContextData) -> Result<TokenStream, EmbeddedAssetsE
               path
             )
           }
-          EmbeddedAssets::new(assets_path, &options, map_core_assets(&options, target))?
+          EmbeddedAssets::new(assets_path, &options, map_core_assets(&options))?
         }
         FrontendDist::Files(files) => EmbeddedAssets::new(
           files
             .iter()
             .map(|p| config_parent.join(p))
             .collect::<Vec<_>>(),
           &options,
-          map_core_assets(&options, target),
+          map_core_assets(&options),
         )?,
         _ => unimplemented!(),
       },
diff --git a/core/tauri-runtime-wry/src/lib.rs b/core/tauri-runtime-wry/src/lib.rs
@@ -2854,7 +2854,6 @@ fn handle_user_message<T: UserEvent>(
           }
           // Getters
           WebviewMessage::Url(tx) => {
-            println!("url getter");
             tx.send(webview.url().parse().unwrap()).unwrap();
           }
           WebviewMessage::Position(tx) => {
diff --git a/core/tauri-utils/src/html.rs b/core/tauri-utils/src/html.rs
@@ -23,8 +23,6 @@ use crate::config::{DisabledCspModificationKind, PatternKind};
 #[cfg(feature = "isolation")]
 use crate::pattern::isolation::IsolationJavascriptCodegen;
 
-/// The token used on the CSP tag content.
-pub const CSP_TOKEN: &str = "__TAURI_CSP__";
 /// The token used for script nonces.
 pub const SCRIPT_NONCE_TOKEN: &str = "__TAURI_SCRIPT_NONCE__";
 /// The token used for style nonces.
@@ -168,11 +166,6 @@ pub fn inject_csp(document: &NodeRef, csp: &str) {
   });
 }
 
-/// Injects a content security policy token to the HTML.
-pub fn inject_csp_token(document: &NodeRef) {
-  inject_csp(document, CSP_TOKEN)
-}
-
 fn create_csp_meta_tag(csp: &str) -> NodeRef {
   NodeRef::new_element(
     QualName::new(None, ns!(html), LocalName::from("meta")),
@@ -298,12 +291,12 @@ mod tests {
     ];
     for html in htmls {
       let document = kuchiki::parse_html().one(html);
-      super::inject_csp_token(&document);
+      let csp = "csp-string";
+      super::inject_csp(&document, csp);
       assert_eq!(
         document.to_string(),
         format!(
-          r#"<html><head><meta http-equiv="Content-Security-Policy" content="{}"></head><body></body></html>"#,
-          super::CSP_TOKEN
+          r#"<html><head><meta http-equiv="Content-Security-Policy" content="{csp}"></head><body></body></html>"#,
         )
       );
     }
diff --git a/core/tauri/src/protocol/tauri.rs b/core/tauri/src/protocol/tauri.rs
@@ -164,14 +164,6 @@ fn get_response<R: Runtime>(
   if let Some(handler) = &web_resource_request_handler {
     handler(request, &mut response);
   }
-  // if it's an HTML file, we need to set the CSP meta tag on Linux
-  #[cfg(target_os = "linux")]
-  if let Some(response_csp) = response.headers().get("Content-Security-Policy") {
-    let response_csp = String::from_utf8_lossy(response_csp.as_bytes());
-    let html = String::from_utf8_lossy(response.body());
-    let body = html.replacen(tauri_utils::html::CSP_TOKEN, &response_csp, 1);
-    *response.body_mut() = body.as_bytes().to_vec().into();
-  }
 
   Ok(response)
 }

Original file line number	Diff line number	Diff line change
`@@ -2854,7 +2854,6 @@ fn handle_user_message<T: UserEvent>(`
`2854`	`2854`	`}`
`2855`	`2855`	`// Getters`
`2856`	`2856`	`WebviewMessage::Url(tx) => {`
`2857`		`- println!("url getter");`
`2858`	`2857`	`tx.send(webview.url().parse().unwrap()).unwrap();`
`2859`	`2858`	`}`
`2860`	`2859`	`WebviewMessage::Position(tx) => {`
Original file line number	Diff line number	Diff line change
`@@ -164,14 +164,6 @@ fn get_response<R: Runtime>(`
`164`	`164`	`if let Some(handler) = &web_resource_request_handler {`
`165`	`165`	`handler(request, &mut response);`
`166`	`166`	`}`
`167`		`- // if it's an HTML file, we need to set the CSP meta tag on Linux`
`168`		`- #[cfg(target_os = "linux")]`
`169`		`- if let Some(response_csp) = response.headers().get("Content-Security-Policy") {`
`170`		`- let response_csp = String::from_utf8_lossy(response_csp.as_bytes());`
`171`		`- let html = String::from_utf8_lossy(response.body());`
`172`		`- let body = html.replacen(tauri_utils::html::CSP_TOKEN, &response_csp, 1);`
`173`		`- *response.body_mut() = body.as_bytes().to_vec().into();`
`174`		`- }`
`175`	`167`
`176`	`168`	`Ok(response)`
`177`	`169`	`}`