set CSP headers (inline and in session)

This commit is contained in:
Xymorot 2019-06-18 00:34:21 +02:00
parent c3d87c21fa
commit 0b5cc6a2cb
2 changed files with 10 additions and 7 deletions

View File

@ -2,6 +2,10 @@
<html lang="en"> <html lang="en">
<head> <head>
<meta charset="UTF-8" /> <meta charset="UTF-8" />
<meta
http-equiv="Content-Security-Policy"
content="default-src 'self'; style-src 'unsafe-inline'; img-src *"
/>
<title>Renai</title> <title>Renai</title>
</head> </head>
<body id="app"></body> <body id="app"></body>

View File

@ -1,19 +1,18 @@
import { session } from 'electron'; import { session } from 'electron';
import OnResponseStartedDetails = Electron.OnResponseStartedDetails; import OnHeadersReceivedDetails = Electron.OnHeadersReceivedDetails;
function initSession(): void { function init(): void {
// these headers only work on webrequests, file:// protocol is handled via meta tags in index.html
session.defaultSession.webRequest.onHeadersReceived( session.defaultSession.webRequest.onHeadersReceived(
(details: OnResponseStartedDetails, callback: (response: any) => void) => { (details: OnHeadersReceivedDetails, callback: (response: {}) => void) => {
callback({ callback({
responseHeaders: { responseHeaders: {
...details.responseHeaders, ...details.responseHeaders,
'Content-Security-Policy': [ 'Content-Security-Policy': ["default-src 'none'"],
"default-src 'self'; style-src 'unsafe-eval' 'unsafe-inline'",
],
}, },
}); });
} }
); );
} }
export default { init: initSession }; export default { init };