[bug] HTTP scope can't allow all URIs

[elvinaspredkelis]

Describe the bug

Hello 👋

It is seemingly impossible allow all URIs to pass through the Tauri's HTTP API.

I do understand this is a security measure, however, some apps rely on allowing all URIs. E.g. developer tooling. Or, the URIs are validated somewhere else, like a backend server.

Reproduction

1. Add required attributes to the allowlist in tauri.conf.json:

"http": {
        "all": true,
        "request": true,
        "scope": ["https://*", "http://*"]
      }

2. Try to perform any HTTP request via the Tauri API
3. Should get this error url not allowed on the configured scope

Expected behavior

It would be expected that such scopes would allow all URIs to pass through the scope validation:

• http://*
• https://*
• Or perhaps work like shell scopes and allow either true or ^https?:// RegEx.

Platform and versions

Operating System - Mac OS, version 12.0.1 X64

Node.js environment
  Node.js - 16.6.2
  @tauri-apps/cli - 1.0.0-rc.4
  @tauri-apps/api - 1.0.0-rc.1

Global packages
  npm - 8.3.0
  pnpm - Not installed
  yarn - 1.22.11

Rust environment
  rustup - 1.24.3
  rustc - 1.58.1
  cargo - 1.58.0
  toolchain - stable-x86_64-apple-darwin 

App directory structure
/dist
/node_modules
/public
/src-tauri
/.git
/.vscode
/src

App
  tauri - 1.0.0-rc.2
  tauri-build - 1.0.0-rc.1
  tao - 0.6.2
  wry - 0.13.1
  build-type - bundle
  CSP - default-src 'self'
  distDir - ../dist
  devPath - http://localhost:8080/
  framework - Vue.js

Stack trace

No response

Additional context

No response

[qu1ck]

Is this actually fixed? Do I have to wait for a release?

I updated my cargo.toml to have

[build-dependencies]
tauri-build = { git = "https://github.com/tauri-apps/tauri.git", features = [] }

[dependencies]
serde_json = "1.0"
serde = { version = "1.0", features = ["derive"] }
tauri = { git = "https://github.com/tauri-apps/tauri.git", features = ["http-all"] }

then did cargo update, cargo clean. On next build my app shows this in the log

   Compiling tauri-utils v1.0.0-rc.2 (https://github.com/tauri-apps/tauri.git#2d8dd495)
   Compiling tauri-build v1.0.0-rc.3 (https://github.com/tauri-apps/tauri.git#2d8dd495)
   Compiling tauri-codegen v1.0.0-rc.2 (https://github.com/tauri-apps/tauri.git#2d8dd495)
   Compiling tauri-macros v1.0.0-rc.2 (https://github.com/tauri-apps/tauri.git#2d8dd495)
   Compiling tauri-runtime v0.3.2 (https://github.com/tauri-apps/tauri.git#2d8dd495)
   Compiling tauri-runtime-wry v0.3.2 (https://github.com/tauri-apps/tauri.git#2d8dd495)

So it seems to pick up the latest from git.

I have this in my app.js:

const http = require('@tauri-apps/api/http')

window.onload = (event) => {
    http.fetch("https://some_valid_url").then(console.log);
}

and this in tauri.conf.json:

    "allowlist": {

      "http": {
        "all": true,
        "request": true,
        "scope": ["https://*"]
      }
    },

And I still get url not allowed on the configured scope in the console instead of a response.

What am I missing?

[lucasfernog]

What's the URL you used to test it?

[qu1ck]

https://www.google.com/search/howsearchworks/ for example

[lucasfernog]

Since it's a glob pattern, you'd need to allow https://** in that case.

[qu1ck]

Ah, I was confused by the example, thanks for fixing it. It works!

[cangSDARM]

never mind. I use rc3, it seems that this feat is only available in rc5