tauri-apps · lucasfernog · Feb 26, 2024 · Feb 26, 2024
@@ -0,0 +1,7 @@
+---
+"tauri": patch:enhance
+"tauri-utils": patch:enhance
+"tauri-codegen": patch:enhance
+---
+
+Do not include a CSP tag in the application HTML and rely on the custom protocol response header instead.
@@ -40,7 +40,6 @@ pub struct ContextData {
 
 fn map_core_assets(
   options: &AssetOptions,
-  target: Target,
 ) -> impl Fn(&AssetKey, &Path, &mut Vec<u8>, &mut CspHashes) -> Result<(), EmbeddedAssetsError> {
   #[cfg(feature = "isolation")]
   let pattern = tauri_utils::html::PatternObject::from(&options.pattern);
@@ -53,10 +52,6 @@ fn map_core_assets(
       if csp {
         let document = parse_html(String::from_utf8_lossy(input).into_owned());
 
-        if target == Target::Linux {
-          ::tauri_utils::html::inject_csp_token(&document);
-        }
-
         inject_nonce_token(&document, &dangerous_disable_asset_csp_modification);
 
         if dangerous_disable_asset_csp_modification.can_modify("script-src") {
@@ -176,15 +171,15 @@ pub fn context_codegen(data: ContextData) -> Result<TokenStream, EmbeddedAssetsE
               path
             )
           }
-          EmbeddedAssets::new(assets_path, &options, map_core_assets(&options, target))?
+          EmbeddedAssets::new(assets_path, &options, map_core_assets(&options))?
         }
         FrontendDist::Files(files) => EmbeddedAssets::new(
           files
             .iter()
             .map(|p| config_parent.join(p))
             .collect::<Vec<_>>(),
           &options,
-          map_core_assets(&options, target),
+          map_core_assets(&options),
         )?,
         _ => unimplemented!(),
       },

@@ -2854,7 +2854,6 @@ fn handle_user_message<T: UserEvent>(
           }
           // Getters
           WebviewMessage::Url(tx) => {
-            println!("url getter");
             tx.send(webview.url().parse().unwrap()).unwrap();
           }
           WebviewMessage::Position(tx) => {

@@ -23,8 +23,6 @@ use crate::config::{DisabledCspModificationKind, PatternKind};
 #[cfg(feature = "isolation")]
 use crate::pattern::isolation::IsolationJavascriptCodegen;
 
-/// The token used on the CSP tag content.
-pub const CSP_TOKEN: &str = "__TAURI_CSP__";
 /// The token used for script nonces.
 pub const SCRIPT_NONCE_TOKEN: &str = "__TAURI_SCRIPT_NONCE__";
 /// The token used for style nonces.
@@ -168,11 +166,6 @@ pub fn inject_csp(document: &NodeRef, csp: &str) {
   });
 }
 
-/// Injects a content security policy token to the HTML.
-pub fn inject_csp_token(document: &NodeRef) {
-  inject_csp(document, CSP_TOKEN)
-}
-
 fn create_csp_meta_tag(csp: &str) -> NodeRef {
   NodeRef::new_element(
     QualName::new(None, ns!(html), LocalName::from("meta")),
@@ -298,12 +291,12 @@ mod tests {
     ];
     for html in htmls {
       let document = kuchiki::parse_html().one(html);
-      super::inject_csp_token(&document);
+      let csp = "csp-string";
+      super::inject_csp(&document, csp);
       assert_eq!(
         document.to_string(),
         format!(
-          r#"<html><head><meta http-equiv="Content-Security-Policy" content="{}"></head><body></body></html>"#,
-          super::CSP_TOKEN
+          r#"<html><head><meta http-equiv="Content-Security-Policy" content="{csp}"></head><body></body></html>"#,
         )
       );
     }

@@ -164,14 +164,6 @@ fn get_response<R: Runtime>(
   if let Some(handler) = &web_resource_request_handler {
     handler(request, &mut response);
   }
-  // if it's an HTML file, we need to set the CSP meta tag on Linux
-  #[cfg(target_os = "linux")]
-  if let Some(response_csp) = response.headers().get("Content-Security-Policy") {
-    let response_csp = String::from_utf8_lossy(response_csp.as_bytes());
-    let html = String::from_utf8_lossy(response.body());
-    let body = html.replacen(tauri_utils::html::CSP_TOKEN, &response_csp, 1);
-    *response.body_mut() = body.as_bytes().to_vec().into();
-  }
 
   Ok(response)
 }