Upgrade to latest electron. Add some form of csp.

blackshadev · blackshadev · commit 28fcaa9dce79 · 2023-08-15T13:13:54.000+02:00
diff --git a/package.json b/package.json
@@ -2,7 +2,7 @@
   "name": "dive-downloader",
   "description": "Download dives from any divecomputer with an electron app",
   "productName": "dive-downloader",
-  "version": "0.1.5",
+  "version": "0.1.6",
   "main": ".webpack/main",
   "scripts": {
     "lint": "eslint src --ext .js,.jsx,.ts,.tsx",
@@ -96,7 +96,7 @@
     "@typescript-eslint/parser": "^6.4.0",
     "@vercel/webpack-asset-relocator-loader": "^1.7.3",
     "css-loader": "^6.7.1",
-    "electron": "^19.0.10",
+    "electron": "^26.0.0",
     "eslint": "^8.21.0",
     "eslint-config-prettier": "^9.0.0",
     "eslint-plugin-compat": "^4.0.2",
diff --git a/src/main/main.ts b/src/main/main.ts
@@ -11,6 +11,7 @@
 import path from 'path';
 import { app, BrowserWindow, shell, ipcMain, dialog, session } from 'electron';
 import MenuBuilder from './menu';
+import { serviceOrigin } from '../services/api/config';
 
 declare const MAIN_WINDOW_WEBPACK_ENTRY: string;
 
@@ -79,11 +80,17 @@ const createWindow = async () => {
     mainWindow = null;
   });
 
+  const cspConnectSrc = ["'self'", serviceOrigin];
+  const cspDefaultSrc = ["'self'", 'data:', "'unsafe-inline'"];
+  if (isDebug) {
+    cspDefaultSrc.push("'unsafe-eval'")
+  }
+
   session.defaultSession.webRequest.onHeadersReceived((details, callback) => {
     callback({
       responseHeaders: {
         ...details.responseHeaders,
-        'Content-Security-Policy': ['default-src \'self\' \'unsafe-inline\' \'unsafe-eval\' data: https://api.dive.littledev.nl http://api.littledivelog.local']
+        'Content-Security-Policy': [`default-src ${cspDefaultSrc.join(' ')}; connect-src ${cspConnectSrc.join(' ')}`]
       }
     })
   })
diff --git a/src/services/api/config.ts b/src/services/api/config.ts
@@ -1,7 +1,9 @@
 const useProduction = process.env.NODE_ENV === 'production';
 
-export const serviceUrl = useProduction
-  ? 'https://api.dive.littledev.nl/api'
-  : 'http://api.littledivelog.local/api';
+export const serviceOrigin = useProduction
+? 'https://api.dive.littledev.nl'
+: 'http://api.littledivelog.local'
+
+export const serviceUrl = `${serviceOrigin}/api`;
 
 export default serviceUrl;
diff --git a/yarn.lock b/yarn.lock
