-
-
Notifications
You must be signed in to change notification settings - Fork 523
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[webpack] Add a configuration option to set the CSP header during development #2331
Comments
@malept, FYI, when we upgraded from 6.0.0-beta.57 to 6.0.0-beta.58 our app stopped working in development mode but works in production mode. It appears that the default CSP headers in production mode allow for making requests to other domains (for example, we do POST requests to www.example.com), but the default CSP headers in development mode don't allow this. |
I'm unlikely to change this. In fact, I'm probably going to add default CSP headers to all of the templates, to match |
Add plugins: [
[
'@electron-forge/plugin-webpack',
{
devContentSecurityPolicy: `default-src * self blob: data: gap:; style-src * self 'unsafe-inline' blob: data: gap:; script-src * 'self' 'unsafe-eval' 'unsafe-inline' blob: data: gap:; object-src * 'self' blob: data: gap:; img-src * self 'unsafe-inline' blob: data: gap:; connect-src self * 'unsafe-inline' blob: data: gap:; frame-src * self blob: data: gap:;`,
mainConfig: './webpack.main.config.js',
renderer: {
config: './webpack.renderer.config.js',
entryPoints: [
{
html: './src/index.html',
js: './src/renderer.ts',
name: 'main_window',
preload: {
js: './src/preload.ts',
},
},
],
},
},
],
] |
Yes, just letting you know 🙂 |
Thanks! 🙂 |
Sounds like a breaking change. |
I empathize, but changes like this are why v6 is still in beta. As such, semver rules don't really apply here. Moving forward the release notes should mention when a breaking change occurs (for example, beta 60). |
I see, thank you for the reply! Let me leave a message here to someone who might have the same problem. I have an Electron project which uses electron-forge and Firebase Auth.
Setting |
This doesn't seem to work for me (but I'm probably just doing something wrong). Just upgraded to ^6.0.0-beta.61 and added it into my package.json:
Running my electron forge app with "npm start" still gives me the CSP warning. I'm a bit confused on how this is supposed to work, should it be injecting a element into the page? Adding my own doesn't get overwritten either. |
@jrj2211 I seem to remember that there was a reason that people were using backticks instead of double quotes around the value for So you probably should use this:
instead of this:
Hope that helps 🙂 |
Whatever is going on here completely broke the ability to load local files using the Edit: just putting a blank string did the trick... What a nightmare. I wasted 2 nights trying to just get an image to load from a local path. I couldn't just import it for what I am doing. |
THANK YOU !!!!!! it works)) |
I just started a new Electron Forge project with the webpack-typescript template and got the warning:
I did some research and then added:
So i finally discovered this issue here and set |
@janwendt Can you post some code showing how you set |
Same problem as @janwendt. Added property
The warning still persists. However, when I set the CSP header in the index.html
The error occurs
|
@moepmoep12 @Eli-Black-Work @janwendt Worked for me when I removed all CSP meta tags from index.html and put devContentSecurityPolicy at the end of config struct (see WebpackPluginConfig.ts to understand why):
|
@HashedViking @moepmoep12 I tried the same thing, removed all meta tags from the index.html and put the devContentSecurityPolicy at the end of the config in my forge.config.js yet I'm getting this error: Refused to connect to 'ws://localhost:3000/ws' because it violates the following Content Security Policy directive: "default-src 'none'". Note that 'connect-src' was not explicitly set, so 'default-src' is used as a fallback. I'm a bit new to Webpack and Electron and have been trying out things to fix this but I'm persistently getting the error. plugins: [ |
Preflight Checklist
Problem Description
Extracted from #2289:
Webpack property
devtool
default not playing nice with content-security-policyProposed Solution
Add a top-level Webpack plugin configuration option to customize the CSP header sent by
webpack-dev-server
.Alternatives Considered
Again, from #2289:
This isn't ideal for a couple of reasons:
source-map
is slower to generate thaneval-source-map
(or so I'm told)Additional Information
Please note that app developers still need to set the
<meta>
tag appropriately, for when the Electron app is bundled and distributed.This will probably also need documentation on the website.
The text was updated successfully, but these errors were encountered: