feat: improve CSP security with nonces and hashes, add devCsp [TRI-004] (#8)

Author: lucasfernog

.changes/csp-nonces.md

@@ -0,0 +1,7 @@
+---
+"tauri": patch
+"tauri-codegen": patch
+"tauri-utils": patch
+---
+
+Apply `nonce` to `script` and `style` tags and set them on the `CSP` (`script-src` and `style-src` fetch directives).

.changes/dev-csp.md

@@ -0,0 +1,6 @@
+---
+"tauri-utils": patch
+"cli.rs": patch
+---
+
+Added `dev_csp` to the `security` configuration object.

Cargo.toml

@@ -12,7 +12,9 @@ members = [
 exclude = [
   # examples that can be compiled with the tauri CLI
   "examples/api/src-tauri",
-  "examples/updater/src-tauri"
+  "examples/updater/src-tauri",
+  "examples/resources/src-tauri",
+  "examples/sidecar/src-tauri"
 ]
 
 # default to small, optimized workspace release binaries

core/tauri-build/src/lib.rs

@@ -131,18 +131,13 @@ pub fn try_build(attributes: Attributes) -> Result<()> {
         }
       }
     }
-  } else if let Some(tauri) = tauri_item.as_value_mut() {
-    match tauri {
-      Value::InlineTable(table) => {
-        if let Some(Value::Array(f)) = table.get("features") {
-          for feat in f.iter() {
-            if let Value::String(feature) = feat {
-              features.push(feature.value().to_string());
-            }
-          }
+  } else if let Some(Value::InlineTable(table)) = tauri_item.as_value_mut() {
+    if let Some(Value::Array(f)) = table.get("features") {
+      for feat in f.iter() {
+        if let Value::String(feature) = feat {
+          features.push(feature.value().to_string());
         }
       }
-      _ => {}
     }
   }
 

core/tauri-codegen/Cargo.toml

@@ -13,6 +13,8 @@ exclude = [ ".license_template", "CHANGELOG.md", "/target" ]
 readme = "README.md"
 
 [dependencies]
+sha2 = "0.9"
+base64 = "0.13"
 blake3 = { version = "1.2", features = [ "rayon" ] }
 proc-macro2 = "1"
 quote = "1"

core/tauri-codegen/src/context.rs

@@ -26,8 +26,18 @@ pub fn context_codegen(data: ContextData) -> Result<TokenStream, EmbeddedAssetsE
   } = data;
 
   let mut options = AssetOptions::new();
-  if let Some(csp) = &config.tauri.security.csp {
-    options = options.csp(csp.clone());
+  let csp = if dev {
+    config
+      .tauri
+      .security
+      .dev_csp
+      .clone()
+      .or_else(|| config.tauri.security.csp.clone())
+  } else {
+    config.tauri.security.csp.clone()
+  };
+  if csp.is_some() {
+    options = options.with_csp();
   }
 
   let app_url = if dev {
@@ -54,12 +64,15 @@ pub fn context_codegen(data: ContextData) -> Result<TokenStream, EmbeddedAssetsE
             path
           )
         }
-        EmbeddedAssets::new(&assets_path, options)?
+        EmbeddedAssets::new(assets_path, options)?
       }
       _ => unimplemented!(),
     },
-    AppUrl::Files(files) => EmbeddedAssets::load_paths(
-      files.iter().map(|p| config_parent.join(p)).collect(),
+    AppUrl::Files(files) => EmbeddedAssets::new(
+      files
+        .iter()
+        .map(|p| config_parent.join(p))
+        .collect::<Vec<_>>(),
       options,
     )?,
     _ => unimplemented!(),
@@ -121,9 +134,11 @@ pub fn context_codegen(data: ContextData) -> Result<TokenStream, EmbeddedAssetsE
         Some(
           #root::Icon::File(
             #root::api::path::resolve_path(
-              &#config, &#package_info,
-             #system_tray_icon_file_path,
-             Some(#root::api::path::BaseDirectory::Resource)
+              &#config,
+              &#package_info,
+              &Default::default(),
+              #system_tray_icon_file_path,
+              Some(#root::api::path::BaseDirectory::Resource)
             ).expect("failed to resolve resource dir")
           )
         )