Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: add HeaderConfig to SecurityConfig #11485

Merged
merged 23 commits into from
Nov 6, 2024
Merged

Conversation

39zde
Copy link
Contributor

@39zde 39zde commented Oct 24, 2024

Feature

Adds a new configuration option for the tauri configuration file. This being headers in the app>security. Headers defined the are added to every http response from tauri to the web view. This doesn't include IPC messages and error responses. The header names are limited to:

  • Access-Control-Allow-Credentials
  • Access-Control-Allow-Headers
  • Access-Control-Allow-Methods
  • Access-Control-Expose-Headers
  • Access-Control-Max-Age
  • Cross-Origin-Embedder-Policy
  • Cross-Origin-Opener-Policy
  • Cross-Origin-Resource-Policy
  • Permissions-Policy
  • Timing-Allow-Origin
  • X-Content-Type-Options
  • Tauri-Custom-Header

I primarily wanted to use SharedArrayBuffer,
which requires cross-origin isolation. Since there was no effort in adding more headers I looked for the ones, that would make the most sense.
The Content-Security-Policy(CSP) remains untouched. I tried to implement a unified way to define headers, including the CSP, but to no avail.
Since it's a very dynamic header, with grave implications for security, it's better to remain untouched.

Example configuration

{
 //..
  app:{
    //..
    security: {
      headers: {
        "Cross-Origin-Opener-Policy": "same-origin",
        "Cross-Origin-Embedder-Policy": "require-corp",
        "Timing-Allow-Origin": [
          "https://developer.mozilla.org",
          "https://example.com",
        ],
        "Access-Control-Expose-Headers": "Tauri-Custom-Header",
        "Tauri-Custom-Header": {
          "key1": "'value1' 'value2'",
          "key2": "'value3'"
        }
      },
      csp: "default-src 'self'; connect-src ipc: http://ipc.localhost",
    }
    //..
  }
 //..
}

In this example Cross-Origin-Opener-Policy and Cross-Origin-Embedder-Policy are set to allow for the use of SharedArrayBuffer.
The result is, that those headers are then set on every response sent via the get_response function in crates/tauri/src/protocol/tauri.rs.
The Content-Security-Policy header is defined separately, because it is also handled separately.

For the helloworld example, this config translates into those response headers:

access-control-allow-origin:  http://tauri.localhost
access-control-expose-headers: Tauri-Custom-Header
content-security-policy: default-src 'self'; connect-src ipc: http://ipc.localhost; script-src 'self' 'sha256-Wjjrs6qinmnr+tOry8x8PPwI77eGpUFR3EEGZktjJNs='
content-type: text/html
cross-origin-embedder-policy: require-corp
cross-origin-opener-policy: same-origin
tauri-custom-header: key1 'value1' 'value2'; key2 'value3'
timing-allow-origin: https://developer.mozilla.org, https://example.com

Since the resulting header values are always 'string-like'. So depending on the what data type the HeaderSource is, they need to be converted.

  • String(JS/Rust): stay the same for the resulting header value
  • Array(JS)/Vec\<String\>(Rust): Item are joined by ", " for the resulting header value
  • Object(JS)/ Hashmap\<String,String\>(Rust): Items are composed from: key + space + value. Item are then joined by "; " for the resulting header value

39zde added 7 commits October 24, 2024 10:34
* Create add-headers-config-option.md

* Update schema.json

* Update schema.json

* Update config.schema.json

* Update config.schema.json

* Update config.rs

* Create security.rs

* Update tauri.rs
@39zde 39zde requested a review from a team as a code owner October 24, 2024 14:55
@39zde 39zde marked this pull request as draft October 24, 2024 14:56
@39zde 39zde marked this pull request as ready for review October 24, 2024 15:10
Copy link
Contributor

github-actions bot commented Oct 28, 2024

Package Changes Through b58ae8b

There are 9 changes which include tauri-utils with minor, tauri with minor, @tauri-apps/api with minor, tauri-bundler with minor, tauri-cli with minor, @tauri-apps/cli with minor, tauri-runtime-wry with minor, tauri-macros with patch, tauri-runtime with minor

Planned Package Versions

The following package releases are the planned based on the context of changes in this pull request.

package current next
@tauri-apps/api 2.0.3 2.1.0
tauri-utils 2.0.2 2.1.0
tauri-bundler 2.0.4 2.1.0
tauri-runtime 2.1.1 2.2.0
tauri-runtime-wry 2.1.2 2.2.0
tauri-codegen 2.0.2 2.0.3
tauri-macros 2.0.2 2.0.3
tauri-plugin 2.0.2 2.0.3
tauri-build 2.0.2 2.0.3
tauri 2.0.6 2.1.0
@tauri-apps/cli 2.0.4 2.1.0
tauri-cli 2.0.4 2.1.0

Add another change file through the GitHub UI by following this link.


Read about change files or the docs at github.com/jbolda/covector

Copy link
Member

@amrbashir amrbashir left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could you please revert the changes where you moved types from config.rs to config/security.rs so the relevant PRs could be reviewed separately, after merge, your can open another PR to refactor things into different files.

crates/tauri-utils/src/config/security.rs Outdated Show resolved Hide resolved
crates/tauri-utils/src/config/security.rs Outdated Show resolved Hide resolved
crates/tauri-utils/src/config/security.rs Outdated Show resolved Hide resolved
crates/tauri-utils/src/config/security.rs Outdated Show resolved Hide resolved
.changes/add-headers-config-option.md Outdated Show resolved Hide resolved
.changes/add-headers-config-option.md Outdated Show resolved Hide resolved
crates/tauri-utils/src/config.rs Outdated Show resolved Hide resolved
crates/tauri-utils/src/config.rs Outdated Show resolved Hide resolved
crates/tauri-utils/src/config.rs Outdated Show resolved Hide resolved
crates/tauri-utils/src/config.rs Outdated Show resolved Hide resolved
@amrbashir amrbashir requested a review from tweidinger October 28, 2024 22:39
.changes/add-headers-config-option.md Outdated Show resolved Hide resolved
crates/tauri-utils/src/config.rs Outdated Show resolved Hide resolved
@39zde 39zde requested a review from amrbashir October 29, 2024 15:01
amrbashir
amrbashir previously approved these changes Oct 29, 2024
Copy link
Member

@amrbashir amrbashir left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, just need approval of @tweidinger

Note you need to run cargo b -p tauri-schema-generator to fix CI

Copy link
Contributor

@tweidinger tweidinger left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good to me.

@amrbashir amrbashir merged commit fabc2f2 into tauri-apps:dev Nov 6, 2024
19 of 27 checks passed
@39zde 39zde deleted the headers branch November 6, 2024 14:17
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants