Foundry376/Mailspring
1
1
Fork 0
mirror of https://github.com/Foundry376/Mailspring.git synced 2025-11-08 07:21:18 +08:00
Code Issues Projects Releases Packages Wiki Activity

Lock down the app’s content security policy a bit more

Browse source
This commit is contained in:
Ben Gotow 2021-02-15 01:28:23 -06:00 committed by Ben Gotow
parent 5ce665d4ef
commit 5aebb5da1e
5 changed files with 9 additions and 8 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

8
app/src/browser/main.js
View file

@ -8,7 +8,9 @@ const fs = require('fs');
fs.statSyncNoException = function(...args) { fs.statSyncNoException = function(...args) {
try { try {
return fs.statSync.apply(fs, args); return fs.statSync.apply(fs, args);
} catch (e) {} } catch (e) {
//pass
}
return false; return false;
}; };
@ -16,7 +18,7 @@ console.inspect = function consoleInspect(val) {
console.log(util.inspect(val, true, 7, true)); console.log(util.inspect(val, true, 7, true));
}; };
const app = require('electron').app; const { app, session } = require('electron');
const path = require('path'); const path = require('path');
const mkdirp = require('mkdirp'); const mkdirp = require('mkdirp');
@ -323,7 +325,7 @@ const start = () => {
// Block remote JS execution in a second way in case our <meta> tag approach // Block remote JS execution in a second way in case our <meta> tag approach
// is compromised somehow https://www.electronjs.org/docs/tutorial/security // is compromised somehow https://www.electronjs.org/docs/tutorial/security
// This CSP string should match the one in app/static/index.html // This CSP string should match the one in app/static/index.html
require('electron').session.defaultSession.webRequest.onHeadersReceived((details, callback) => { session.defaultSession.webRequest.onHeadersReceived((details, callback) => {
if (details.url.startsWith('devtools://')) { if (details.url.startsWith('devtools://')) {
return callback(details); return callback(details);
} }

3
app/src/components/webview.tsx
View file

@ -1,6 +1,5 @@
import url from 'url'; import url from 'url';
import React from 'react'; import React from 'react';
import PropTypes from 'prop-types';
import { shell } from 'electron'; import { shell } from 'electron';
import ReactDOM from 'react-dom'; import ReactDOM from 'react-dom';
import classnames from 'classnames'; import classnames from 'classnames';
@ -233,7 +232,7 @@ export default class Webview extends React.Component<WebviewProps, WebviewState>
render() { render() {
return ( return (
<div className="webview-wrap"> <div className="webview-wrap">
<webview ref="webview" partition="in-memory-only" /> <webview ref="webview" partition="in-memory-only" enableremotemodule="false" />
<div className={`webview-loading-spinner loading-${this.state.webviewLoading}`}> <div className={`webview-loading-spinner loading-${this.state.webviewLoading}`}>
<RetinaImg <RetinaImg
style={{ width: 20, height: 20 }} style={{ width: 20, height: 20 }}

2
app/static/db-migration.html
View file

@ -2,7 +2,7 @@
<html style="background: #fff"> <html style="background: #fff">
<head> <head>
<title>Updating Mailspring Database...</title> <title>Updating Mailspring Database...</title>
<meta http-equiv="Content-Security-Policy" content="default-src * mailspring:; script-src 'self' 'unsafe-eval' chrome-extension://react-developer-tools; style-src * 'unsafe-inline' mailspring:; img-src * data: mailspring: file:;"> <meta http-equiv="Content-Security-Policy" content="default-src * mailspring:; script-src 'self' chrome-extension://react-developer-tools; style-src * 'unsafe-inline' mailspring:; img-src * data: mailspring: file:;">
<style> <style>
.progress { .progress {
position: relative; position: relative;

2
app/static/db-vacuum.html
View file

@ -2,7 +2,7 @@
<html style="background: #fff"> <html style="background: #fff">
<head> <head>
<title>Preparing Mailspring...</title> <title>Preparing Mailspring...</title>
<meta http-equiv="Content-Security-Policy" content="default-src * mailspring:; script-src 'self' 'unsafe-eval' chrome-extension://react-developer-tools; style-src * 'unsafe-inline' mailspring:; img-src * data: mailspring: file:;"> <meta http-equiv="Content-Security-Policy" content="default-src * mailspring:; script-src 'self' chrome-extension://react-developer-tools; style-src * 'unsafe-inline' mailspring:; img-src * data: mailspring: file:;">
<style> <style>
.progress { .progress {
position: relative; position: relative;

2
app/static/index.html
View file

@ -3,7 +3,7 @@
<head> <head>
<title>Mailspring</title> <title>Mailspring</title>
<meta http-equiv="Content-Security-Policy" content="default-src * mailspring:; script-src 'self' 'unsafe-inline' chrome-extension://react-developer-tools; style-src * 'unsafe-inline' mailspring:; img-src * data: mailspring: file:;"> <meta http-equiv="Content-Security-Policy" content="default-src * mailspring:; script-src 'self' chrome-extension://react-developer-tools; style-src * 'unsafe-inline' mailspring:; img-src * data: mailspring: file:;">
<script src="index.js"></script> <script src="index.js"></script>
</head> </head>