set CSP headers (inline and in session)

2019-06-18 00:34:21 +02:00 · 2019-06-18 00:34:21 +02:00 · 0b5cc6a2cb
parent c3d87c21fa
commit 0b5cc6a2cb
2 changed files with 10 additions and 7 deletions
--- a/index.html
+++ b/index.html
@ -2,6 +2,10 @@
 <html lang="en">
  <head>
    <meta charset="UTF-8" />
+    <meta
+      http-equiv="Content-Security-Policy"
+      content="default-src 'self'; style-src 'unsafe-inline'; img-src *"
+    />
    <title>Renai</title>
  </head>
  <body id="app"></body>
--- a/src/main/services/session.ts
+++ b/src/main/services/session.ts
@ -1,19 +1,18 @@
 import { session } from 'electron';
-import OnResponseStartedDetails = Electron.OnResponseStartedDetails;
+import OnHeadersReceivedDetails = Electron.OnHeadersReceivedDetails;

-function initSession(): void {
+function init(): void {
+  // these headers only work on webrequests, file:// protocol is handled via meta tags in index.html
  session.defaultSession.webRequest.onHeadersReceived(
-    (details: OnResponseStartedDetails, callback: (response: any) => void) => {
+    (details: OnHeadersReceivedDetails, callback: (response: {}) => void) => {
      callback({
        responseHeaders: {
          ...details.responseHeaders,
-          'Content-Security-Policy': [
-            "default-src 'self'; style-src 'unsafe-eval' 'unsafe-inline'",
-          ],
+          'Content-Security-Policy': ["default-src 'none'"],
        },
      });
    }
  );
 }

-export default { init: initSession };
+export default { init };