[英]Violating Content Secuirty Policy in Electron app using React and Webpack
I am currently making a small application that is trying to fetch data from an API.我目前正在制作一个小型应用程序,它试图从 API 中获取数据。 To begin, I used electron-forge's webpack and react template to get started.
首先,我使用了 electron-forge 的 webpack 和 react 模板来开始。
Without any CSP configuration in the meta
tag of the HTML file, I get this error: HTML 文件的
meta
标记中没有任何 CSP 配置,我收到此错误:
Added the following CSP to my main HTML file:将以下 CSP 添加到我的主 HTML 文件中:
<meta
charset="UTF-8"
http-equiv="Content-Security-Policy"
content="default-src 'self' 'unsafe-inline' data: https://api.flybywire.com/;"
/>
This results in this error with a blank page in the renderer (before, it displayed the rest of the page correctly).这会导致渲染器中出现空白页面的错误(之前,它正确显示了页面的 rest)。
If I add 'unsafe-eval' to the CSP, I get this.如果我将“unsafe-eval”添加到 CSP,我会得到这个。
The strange thing is it appears that there are two CSP policies going on here.奇怪的是,这里似乎有两个 CSP 政策。 I have made an electron app without WebPack before that fetched data online with no issue, and I am unfamiliar with it.
我已经制作了一个没有 WebPack 的 electron 应用程序,然后在线获取数据没有问题,我不熟悉它。 I have a feeling the issue lies in there.
我感觉问题出在那儿。
I've tried editing my webpack.renderer.config.js by adding devtool: "eval-source-map"
under module.exports
to no avail.我尝试通过在 module.exports 下添加
devtool: "eval-source-map"
来编辑我的module.exports
无济于事。
The source code is available under this github repository , however I haven't pushed the version that calls the data fetching function which is located in metar.jsx
.源代码在此github 存储库下可用,但是我还没有推送调用位于
metar.jsx
中的数据获取 function 的版本。
Any help would be greatly appreciated as I have been scouring around for a fix for days now.任何帮助将不胜感激,因为我几天来一直在寻找修复。
Found the solution.找到了解决方案。 As I suspected, there was indeed a separate security policy.
正如我所怀疑的,确实有一个单独的安全策略。 However, if using electron-forge, there is a way to specify this in your
package.json
by adding但是,如果使用电子
package.json
,有一种方法可以通过添加
"devContentSecurityPolicy":"default-src * self blob: data: gap:; style-src * self 'unsafe-inline' blob: data: gap:; script-src * 'self' 'unsafe-eval' 'unsafe-inline' blob: data: gap:; object-src * 'self' blob: data: gap:; img-src * self 'unsafe-inline' blob: data: gap:; connect-src self * 'unsafe-inline' blob: data: gap:; frame-src * self blob: data: gap:;"
Just like this像这样
[
"@electron-forge/plugin-webpack",
{
"devContentSecurityPolicy":"default-src * self blob: data: gap:; style-src * self 'unsafe-inline' blob: data: gap:; script-src * 'self' 'unsafe-eval' 'unsafe-inline' blob: data: gap:; object-src * 'self' blob: data: gap:; img-src * self 'unsafe-inline' blob: data: gap:; connect-src self * 'unsafe-inline' blob: data: gap:; frame-src * self blob: data: gap:;",
"mainConfig": "./webpack.main.config.js",
"renderer": {
"config": "./webpack.renderer.config.js",
"entryPoints": [
{
"html": "./src/index.html",
"js": "./src/renderer.js",
"name": "main_window"
}
]
Just a caveat, that CSP is highly insecure because it allows everything in the document.需要注意的是,CSP 非常不安全,因为它允许文档中的所有内容。 It should be modified to include only what is needed later.
应该修改它以仅包含以后需要的内容。 However, I'm glad to have found where this hidden setting was.
但是,我很高兴找到了这个隐藏设置的位置。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.