refactor: update security policies in window creation and enhance loading page CSP

2026-06-06 05:32:06 +00:00 · 2026-06-04 14:42:32 +02:00
parent 982c771e82
commit 2496f13055
5 changed files with 102 additions and 90 deletions
@@ -22,7 +22,7 @@ export function createMainWindow({
  const windowOptions = createWindowOptions({ allowDevTools, appConfig, rootPath, isLoadingWindow: false });
  const window = new BrowserWindow(windowOptions);

-  denyPermissionsByDefault(window);
+  applySecurityPolicies(window, allowDevTools);
  window.setMenuBarVisibility(false);

  window.webContents.setWindowOpenHandler(({ url }) => {
@@ -65,7 +65,7 @@ export function createLoadingWindow({
 }: Omit<WindowServiceDependencies, "mainDashboardUrl">): BrowserWindow {
  const window = new BrowserWindow(createWindowOptions({ allowDevTools, appConfig, rootPath, isLoadingWindow: true }));

-  denyPermissionsByDefault(window);
+  applySecurityPolicies(window, allowDevTools);

  window.on("page-title-updated", (event) => {
    event.preventDefault();
@@ -123,8 +123,25 @@ function createWindowOptions({
  };
 }

-function denyPermissionsByDefault(window: BrowserWindow): void {
+function applySecurityPolicies(window: BrowserWindow, allowDevTools: boolean): void {
  window.webContents.session.setPermissionRequestHandler((_webContents, _permission, callback) => {
    callback(false);
  });
+
+  window.webContents.session.webRequest.onHeadersReceived((details, callback) => {
+    callback({
+      responseHeaders: {
+        ...details.responseHeaders,
+        "Content-Security-Policy": [
+          "default-src 'self' 'unsafe-inline' 'unsafe-eval' data: http://localhost:* http://127.0.0.1:*; connect-src * ws: wss:; img-src * data: blob:; media-src * data: blob:; font-src * data:;"
+        ]
+      }
+    });
+  });
+
+  if (!allowDevTools) {
+    window.webContents.on("devtools-opened", () => {
+      window.webContents.closeDevTools();
+    });
+  }
 }