[feat] Allow limiting dangerousDisableAssetCspModification to "script" or "style" #3831
Labels
Comments
|
I like this idea, but I have one note: This specific config api only works with these 3 possible values: |
|
We need to consider future changes so using an array makes more sense here. |
|
Yep, |
lucasfernog
added a commit
that referenced
this issue
May 1, 2022
dceddia
pushed a commit
to dceddia/tauri
that referenced
this issue
May 14, 2022
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Describe the problem
The dangerousDisableAssetCspModification is great for us because we've found that injecting nonces for style sheets didn't play well with the UI library we were using (lit). But it would be even better if there was an option to disable nonces for
styleandscripttags individually! In our case, we'd like to disable the feature for style tags (since it breaks our app) but keep it for script tags (which are the more dangerous attack surface anyway).Describe the solution you'd like
In addition to boolean values, also allow
"script" | "style". For example, the following would disable nonces for style sheets only:{ ... "security": { "csp": "...", "dangerousDisableAssetCspModification": "style" } }Alternatives considered
No response
Additional context
No response
The text was updated successfully, but these errors were encountered: