support customer http response header for CSP

[kcmvp]

Description

I am building an app base on https://github.com/rhysd/vim.wasm, which depends on the SharedArrayBuffer and Atomics,
I ran into below error with csp exception.
react-dom.development.js:22839 Uncaught ReferenceError: SharedArrayBuffer is not defined at new VimWorker (vimwasm.js:1:1638) at new VimWasm (vimwasm.js:1:13290) at Vim.tsx:74:13 at commitHookEffectListMount (react-dom.development.js:23150:26) at commitPassiveMountOnFiber (react-dom.development.js:24926:13) at commitPassiveMountEffects_complete (react-dom.development.js:24891:9) at commitPassiveMountEffects_begin (react-dom.development.js:24878:7) at commitPassiveMountEffects (react-dom.development.js:24866:3) at flushPassiveEffectsImpl (react-dom.development.js:27039:3)

react-native has the same issue, facebook/create-react-app#10210 (comment)

seems the solution works by adding two
http response header
Cross-Origin-Opener-Policy: same-origin Cross-Origin-Embedder-Policy: require-corp

how to achieve this in wails?

To Reproduce

1: create a simple wails app with react-ts template
2: copy source react-vim into the project.
3: run the project get the result.

Expected behaviour

support custome http response headers .

Screenshots

No response

Attempted Fixes

No response

System Details

# System

OS           | MacOS
Version      | 13.4.1
ID           | 22F82
Go Version   | go1.20rc2
Platform     | darwin
Architecture | amd64

# Wails

Version | v2.5.1

# Dependencies

Dependency                | Package Name | Status    | Version
Xcode command line tools  | N/A          | Installed | 2397
Nodejs                    | N/A          | Installed | 16.17.0
npm                       | N/A          | Installed | 8.15.0
*Xcode                    | N/A          | Installed | 14.3.1 (14E300c)
*upx                      | N/A          | Available |
*nsis                     | N/A          | Available |
* - Optional Dependency

# Diagnosis

Your system is ready for Wails development!
Optional package(s) installation details:
  - upx : Available at https://upx.github.io/
  - nsis : More info at https://wails.io/docs/guides/windows-installer/

Additional context

No response

[stffabi]

Thanks for using Wails and opening this.

You can achieve this by using a custom AssetServer middleware that injects those two headers.

There's also a discord thread that has more information about exactly your use-case: https://discord.com/channels/1042734330029547630/1115379135464874095

[kcmvp]

thank you very much! I will have a try

[kcmvp]

had a try, but it seems it does not set the response header
1: set Middleware

AssetServer: &assetserver.Options{ Assets: assets, Middleware: assetserver.ChainMiddleware(CSP), },

2: CSP

func CSP(handler http.Handler) http.Handler { return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { // https://github.com/rhysd/vim.wasm/issues/45 w.Header().Set("Cross-Origin-Opener-Policy", "same-origin") w.Header().Set("Cross-Origin-Embedder-Policy", "require-corp") fmt.Println("def") fmt.Println(w.Header().Get("Cross-Origin-Opener-Policy")) }) }

build the project and run it again
1: in the console I can see logs "def" and "same-origin"
but I open the front page directly in chrome(curl -v), I can not see the http headers. here is the output

< HTTP/1.1 200 OK
< Access-Control-Allow-Origin: *
< Content-Type: text/html
< Cache-Control: no-cache
< Etag: W/"249-3dHCE3uxOAj93xphJKZYTUoA54w"
< Date: Tue, 11 Jul 2023 03:08:37 GMT
< Connection: keep-alive
< Keep-Alive: timeout=5
< Content-Length: 585

[stffabi]

2: CSP

It seems like your middleware does not call the original handler, it should look like this and call the original handler at the end.

func CSP(handler http.Handler) http.Handler {
  return http.HandlerFunc(
    func(w http.ResponseWriter, r *http.Request) { 
      // https://github.com/rhysd/vim.wasm/issues/45 
      w.Header().Set("Cross-Origin-Opener-Policy", "same-origin")
      w.Header().Set("Cross-Origin-Embedder-Policy", "require-corp")
      fmt.Println("def")
      fmt.Println(w.Header().Get("Cross-Origin-Opener-Policy")) 
      handler.ServeHTTP(w, r) // Call the original request chain
    }
  )
}

but I open the front page directly in chrome(curl -v)

Which address and port did you use to do the curl?