-
-
Notifications
You must be signed in to change notification settings - Fork 2.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[feat] allow changing the CSP before it gets injected into the webview #3533
Comments
This feature has a lot of implications security wise. |
This is a good concern, but changing the CSP at runtime is a no-go IMO.
Wdym by this exactly? |
Fully agree at the current state.
We currently face multiple issues where the allowlist is configured at compile time but cannot be changed by user interaction during use/runtime. For example the The same goes for the CSP but imho the CSP should be the last thing to improve, as this (fetching data from user defined sources) should ideally be handled by the rust backend. So having an inbuilt configuration storage (some kind of authenticated and/or encrypted file/db), which is persistent in the filesystem, could improve the above uses cases, where application users would be able to "safely" extend allow functions, depending on their use case. I think this is just a possible solution and more discussion around this topic would be awesome. |
We won't allow changing it from the frontend, just on the Rust side on initialization. |
That sounds like a reasonable trade off for now, as it doesn't break the current security assumptions (you are not constrained by the tauri config on the rust side at all). |
Describe the problem
Some applications needs to connect to user-provided URLs, and to keep it secure, Tauri should allow developers to extend the CSP string at runtime.
Describe the solution you'd like
Add a runtime API to change the CSP string.
Alternatives considered
No response
Additional context
No response
The text was updated successfully, but these errors were encountered: