feat(core): allow configuring remote domains with IPC access, closes #5088

[lucasfernog]

What kind of change does this PR introduce?

• Bugfix
• Feature
• Docs
• New Binding issue #___
• Code style update
• Refactor
• Build-related changes
• Other, please describe:

Does this PR introduce a breaking change?

• Yes, and the changes were approved in issue #___
• No

Checklist

• When resolving issues, they are referenced in the PR's title (e.g fix: remove a typo, closes #___, #___)
• A change file is added if any packages will require a version bump due to this PR per the instructions in the readme.
• I have added a convincing reason for adding this feature, if necessary

Other information

[Sytten]

Thanks for taking on this challenge. I left some comments, some are blocking IMO.

Apart from those comments, I remember there was a reason why I didnt reuse the same function to inject the scripts in the window, but I don't remember why...

[Sytten]

The reason I used a string here is to allow URL patterns. In our case we need to allow all URLs (*) but there is a more "legitimate" use case to allow all sub domains of a particular domain (*.example.com). Since it is converted into a glob anyway down the line it is fine.

[tweidinger]

Since in the general use case this is extremely fragile, it should be hard to allow all domains. Non pentest/security apps are the exception with edge cases and deliberately 'insecure' settings.

[Sytten]

Unsure if the name should change since it also whitelist plugin

[Sytten]

AFAIK if you use an URL, this is not true anymore. But like I said I prefer the glob.

[lucasfernog]

It should still work, we use the same logic for the HTTP allowlist.

[Sytten]

I will need to test but I am pretty certain the Url parser rejects a single *?

[FabianLars]

yes but you can do https://* (or https://**?) with effectively the same effect.

Edit: stuff like https://*.domain.com also works

[Sytten]

I guess this is good for official TaurI, wont cut it for us since we also need to support http but I will maintain my fork.

[FabianLars]

well, you can also do http://... of course. Sure, it's a bit annoying if you want to support both protocols at the same time because it only accepts a single url (especially if we take into account the other convo about finer allowlist-like control)

[Sytten]

Yup, thus my recommendation to keep it as a free string

[lucasfernog]

Allowing http is super dangerous. And we could also allow an array of urls on the same scope.

[Sytten]

I mean sure but at the same time this feature is an escape hatch and its made abundantly clear with the name that its dangerous. Http is perfectly acceptable for a lot of use cases like local installations or forwarded via an SSH tunnel.

[tweidinger]

How about only allowing https:// in the normal configuration while you could still manipulate the state (and scope) from rust core if you really really need to and understand the implications?
The same goes for wildcards like https://* and only allow https://example.tld/* or https://*.example.tld this way the already insecure feature is still somewhat reasonable.

[Sytten]

Hummm I don't like that. Currently there is no check for modules like fs. I think we should do something similar to plugin where we can whitelist each module.

[lucasfernog]

I thought about adding an allowlist configuration object for each external access scope, but maybe the root allowlist can be used for that instead? Any reason a Tauri app should have multiple allowlists, one for each URL?

Also this can be confusing since you'd need to enable the allowlist on the root object to add it to the binary, and also allow it in the external access scope.

[Sytten]

Yes this is important since it relates to security. Let me give you our usecase.

We have a first in-app window that manages the connections of the user. That window has access to the filesystem to store the configuration.

The user the clicks on a connection which opens a second window with the external URL. We really do not want this window accessing the filesystem directly. We just want it to access certain carefully crafted commands that are safe to call.

This is why I originally only allowed commands and even then I wanted to build a way to limit which commands could be called

Though I agree there could be a default to allow it to take the same values as the general allow list for modules.

[lucasfernog]

Yeah I think we should add an option to block all Tauri APIs. That's easy and won't bloat the codebase with runtime allowlist checks.

[lucasfernog]

Pushed a change to address this.

[Sytten]

Since we forked Tauri to ship our patched version, I had some ideas. I think whitelisting which command can be run would be really cool, but not a blocker for this PR.

[lucasfernog]

See the message above. Also, it would need a lot of code to add this :(

[Sytten]

This can come in a subsequent PR, happy to pitch in for the implementation

[austenc]

This PR opens up some really cool possibilities. Also, I know it's probably still a WIP.

After trying it out I think that the messaging and/or error related to the windows part of the config can be improved. More specifically, it wasn't clear what value to use for windows -- the app's name (the "title" of the window), or main.

Originally had something like this in my tauri.conf.json:

"dangerousExternalCommandAccess": [
    {
      "url": "https://my-localhost-app-url",
      "windows": ["my-app-name"]
    }
]

When changed to "windows": ["main"] it works.

Not sure whether it's a matter of improving the Scope not defined error message, or whether it's a documentation thing, but that was a tiny papercut I ran into. Thanks again for the work on this!

[lucasfernog]

@austenc we do mention it's the window labels, see https://github.com/tauri-apps/tauri/pull/5918/files#diff-ff73997dde3dc4965aa0c59ce0b37c7d208ae5b6b7686bf19e14d93c98cc1bacR1116. I'll improve the error message though.

[austenc]

Thanks for helping out a rust noob :) And thanks again for the work on this feature, really great!

[1zun4secondary]

How do I exactly use this tauri pull request?
I imported the library into my rust-project via
tauri = { git = "https://github.com/tauri-apps/tauri.git", branch = "feat/remote-ipc", features = ["api-all"] }
which worked out.

But when I run npm run tauri dev, it will say:

Error `tauri.conf.json` error on `tauri > security`: Additional properties are not allowed ('dangerousExternalCommandAccess' was unexpected)

Which makes sense, because the NPM tauri-cli library is still the v1.2.2. I don't know much about NPM, so I was wondering how I can use this pull request now?

[FabianLars]

@1zun4 see https://tauri.app/v1/guides/faq#how-can-i-use-unpublished-tauri-changes (Using the Tauri CLI from source) - i recommend using the cargo cli instead since it's easier to use a git version imo.

Oh and make sure to also use the tauri-build crate from git.

[1zun4secondary]

@1zun4 see https://tauri.app/v1/guides/faq#how-can-i-use-unpublished-tauri-changes (Using the Tauri CLI from source) - i recommend using the cargo cli instead since it's easier to use a git version imo.

Oh and make sure to also use the tauri-build crate from git.

Thank you very much! It works flawless with my application. Looking forward for it being merged.

When changed to "windows": ["main"] it works.

Not sure whether it's a matter of improving the Scope not defined error message, or whether it's a documentation thing, but that was a tiny papercut I ran into. Thanks again for the work on this!

... took me a while to figure it out... haha

[ddx95]

Hello, is there any way to modify/add dynamically a value to the dangerousExternalCommandAccess field from the main.rs ? I would need, for example, to get my remote server address from another configuration file, a environment variable or a register key.

[tm1000]

What's the status of this PR?

[prestomation]

Looks like there is lots of interest in this feature. What can the community to do help it land?

[nothingismagick]

First of all, this is an approach that removes security features that underly the entire premise of Tauri - all of us can agree on this. It is basically permitting people to drive a motorcycle without a helmet.

To that extent I would propose that we empower the individual to KNOW that this is going on and DENY such permissive use, especially in "*" wildcard situations.

One idea to harden this is to use a model similar to the way our Isolation pattern works, where the app sends an authorization to the remote, and the remote has to reply properly or tauri IPC execution is prevented.

I think @tauri-apps/wg-security must absolutely sign off on this before it enters canon, especially since this modifies the isolation.js guardrails as well.

[lucasfernog]

The security team has been auditing this PR and the finds will be public soon - along with the proposed solution to improve security.

[Sytten]

Can't wait for their input, I still stand with the review I made 3 months ago. This feature is an escape hatch for "dangerous" usecases, so for me it should allow users to whitelist each element as they wish. It should be very specific in its definition but broad in what it allows (like: I want to allow plugin X for all websites). It should definitely not be used 99% of the time. Our usecase for it was to be able to allow loading remote UI that can interact with some whitelisted tauri commands. It would even be ok with a compiler warning if this feature is used.

[lucasfernog]

One thing I did not touch is usage of remote URLs with the isolation protocol enabled. Since we can't inject the isolation protocol scripts (?) it does not work at all right now.

[tillmann-crabnebula]

Minor documentation changes but implementation looks good to me 👍

[lucasfernog]

@tillmann-crabnebula I've pushed some changes to make this work with the isolation pattern.

I'm planning on merging this and release 1.3 next week if we can get all blog posts ready.

[lucasfernog]

We had to change the approach here from "configuring remote URLs with glob patterns" to "configuring domains" for security reasons. If you need to allow ALL URLs, that is super dangerous and you'll need to do so by listening to the navigation event via WindowBuilder::on_navigation and manually adding the domain to the scope.

[tweidinger]

Since in the general use case this is extremely fragile, it should be hard to allow all domains. Non pentest/security apps are the exception with edge cases and deliberately 'insecure' settings.

[tweidinger]

How about only allowing https:// in the normal configuration while you could still manipulate the state (and scope) from rust core if you really really need to and understand the implications?
The same goes for wildcards like https://* and only allow https://example.tld/* or https://*.example.tld this way the already insecure feature is still somewhat reasonable.

[Sytten]

Thats fair, at least there is a way to do it. I will give it a try this week. When is it planned to be released?

[lucasfernog]

We're working to release it this week.

[1zun4secondary]

huuray

[limitedmage]

Hello, will this be released for v1.x or will this have to wait until v2.0?

[FabianLars]

It will be part of v1.3

[luucasrb]

Can we have this feature in the next branch as a 2.0 feature? I would love to use it in my context, but I cannot downgrade to the 1.x.

[FabianLars]

@luucasrb It already is in the next branch. iirc it was also part of alpha.9 but not 100% sure about that.

[luucasrb]

Thanks, you are right. My confusion was that the dangerousRemoteDomainIpcAccess config is only in the v1 docs but not in the next docs.

[JVariance]

We had to change the approach here from "configuring remote URLs with glob patterns" to "configuring domains" for security reasons. If you need to allow ALL URLs, that is super dangerous and you'll need to do so by listening to the navigation event via WindowBuilder::on_navigation and manually adding the domain to the scope.

I want to add domains inside on_navigation, but I just don't succeed. Can you give me an example, how I can do it?