-
-
Notifications
You must be signed in to change notification settings - Fork 2.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: add HeaderConfig to SecurityConfig #11485
Conversation
* Create add-headers-config-option.md * Update schema.json * Update schema.json * Update config.schema.json * Update config.schema.json * Update config.rs * Create security.rs * Update tauri.rs
Package Changes Through b58ae8bThere are 9 changes which include tauri-utils with minor, tauri with minor, @tauri-apps/api with minor, tauri-bundler with minor, tauri-cli with minor, @tauri-apps/cli with minor, tauri-runtime-wry with minor, tauri-macros with patch, tauri-runtime with minor Planned Package VersionsThe following package releases are the planned based on the context of changes in this pull request.
Add another change file through the GitHub UI by following this link. Read about change files or the docs at github.com/jbolda/covector |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Could you please revert the changes where you moved types from config.rs
to config/security.rs
so the relevant PRs could be reviewed separately, after merge, your can open another PR to refactor things into different files.
Co-authored-by: Amr Bashir <[email protected]>
Co-authored-by: Amr Bashir <[email protected]>
Co-authored-by: Amr Bashir <[email protected]>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM, just need approval of @tweidinger
Note you need to run cargo b -p tauri-schema-generator
to fix CI
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good to me.
Feature
Adds a new configuration option for the tauri configuration file. This being headers in the app>security. Headers defined the are added to every http response from tauri to the web view. This doesn't include IPC messages and error responses. The header names are limited to:
Access-Control-Allow-Credentials
Access-Control-Allow-Headers
Access-Control-Allow-Methods
Access-Control-Expose-Headers
Access-Control-Max-Age
Cross-Origin-Embedder-Policy
Cross-Origin-Opener-Policy
Cross-Origin-Resource-Policy
Permissions-Policy
Timing-Allow-Origin
X-Content-Type-Options
Tauri-Custom-Header
I primarily wanted to use SharedArrayBuffer,
which requires cross-origin isolation. Since there was no effort in adding more headers I looked for the ones, that would make the most sense.
The Content-Security-Policy(CSP) remains untouched. I tried to implement a unified way to define headers, including the CSP, but to no avail.
Since it's a very dynamic header, with grave implications for security, it's better to remain untouched.
Example configuration
In this example
Cross-Origin-Opener-Policy
andCross-Origin-Embedder-Policy
are set to allow for the use ofSharedArrayBuffer
.The result is, that those headers are then set on every response sent via the
get_response
function in crates/tauri/src/protocol/tauri.rs.The Content-Security-Policy header is defined separately, because it is also handled separately.
For the helloworld example, this config translates into those response headers:
Since the resulting header values are always 'string-like'. So depending on the what data type the HeaderSource is, they need to be converted.
String
(JS/Rust): stay the same for the resulting header valueArray
(JS)/Vec\<String\>
(Rust): Item are joined by ", " for the resulting header valueObject
(JS)/Hashmap\<String,String\>
(Rust): Items are composed from: key + space + value. Item are then joined by "; " for the resulting header value