npm - @bouko/electron - Versions diffs - 1.0.0 → 1.0.1 - Mend

@bouko/electron 1.0.0 → 1.0.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

package/dist/csp.d.ts ADDED Viewed

@@ -0,0 +1,17 @@
+/**
+ * Content Security Policies.
+ *
+ * Production:
+ *  - Restrict all resources to the app bundle (`'self'`) by default.
+ *  - Allow network access only to Supabase.
+ *  - Enable safe playback of audio/media via `blob:` and `data:` URLs.
+ *  - Explicitly disable dangerous features such as plugins and framing.
+ *
+ * Development:
+ *  - Relax restrictions to support hot reload, devtools, and local servers.
+ *  - Allow inline scripts and eval (required by some bundlers/dev servers).
+ *  - Permit WebSocket connections to localhost.
+**/
+export declare const csp: string;
+export declare const devCsp: string;
+export declare const setupCspPolicy: () => void;

package/dist/csp.js ADDED Viewed

@@ -0,0 +1,48 @@
+import { app, session } from "electron";
+import { getEnv } from "@bouko/ts";
+/**
+ * Content Security Policies.
+ *
+ * Production:
+ *  - Restrict all resources to the app bundle (`'self'`) by default.
+ *  - Allow network access only to Supabase.
+ *  - Enable safe playback of audio/media via `blob:` and `data:` URLs.
+ *  - Explicitly disable dangerous features such as plugins and framing.
+ *
+ * Development:
+ *  - Relax restrictions to support hot reload, devtools, and local servers.
+ *  - Allow inline scripts and eval (required by some bundlers/dev servers).
+ *  - Permit WebSocket connections to localhost.
+**/
+export const csp = "default-src 'self'; " +
+    "script-src 'self'; " +
+    "style-src 'self'; " +
+    "img-src 'self' data: https:; " +
+    "font-src 'self' data:; " +
+    `connect-src 'self' blob: ${getEnv("DB_URL")}; ` +
+    "media-src 'self' blob: data:; " +
+    "worker-src 'self' blob:; " +
+    "object-src 'none'; " +
+    "base-uri 'self'; " +
+    "frame-ancestors 'none';";
+export const devCsp = "default-src 'self' http://localhost:* blob: data:; " +
+    "script-src 'self' 'unsafe-eval' 'unsafe-inline' http://localhost:*; " +
+    "style-src 'self' 'unsafe-inline' http://localhost:*; " +
+    "img-src 'self' data: blob: http://localhost:* https:; " +
+    "media-src 'self' blob: data:; " +
+    "worker-src 'self' blob: http://localhost:*; " +
+    `connect-src 'self' blob: http://localhost:* ws://localhost:* ${getEnv("DB_URL")};`;
+export const setupCspPolicy = () => session.defaultSession.webRequest.onHeadersReceived((details, callback) => {
+    if (details.url.startsWith("file://") ||
+        details.url.startsWith("http://localhost")) {
+        callback({
+            responseHeaders: {
+                ...details.responseHeaders,
+                "Content-Security-Policy": [!app.isPackaged ? devCsp : csp],
+            },
+        });
+        return;
+    }
+    // Do NOT touch third-party pages (SoundCloud, etc.)
+    callback({ responseHeaders: details.responseHeaders });
+});

package/dist/index.d.ts CHANGED Viewed

	@@ -1 +1,2 @@
1 1	export declare const getUserDataPath: (x: string) => string;
2	+ export * from "./csp";

package/dist/index.js CHANGED Viewed

@@ -1,3 +1,4 @@
 import { app } from "electron";
 import path from "path";
 export const getUserDataPath = (x) => path.join(app.getPath("userData"), x);
+export * from "./csp";

package/package.json CHANGED Viewed

@@ -2,7 +2,7 @@
   "name": "@bouko/electron",
-  "version": "1.0.0",
+  "version": "1.0.1",
   "description": "",
@@ -38,12 +38,16 @@
   "devDependencies": {
-    "electron": "^39.2.7"
+    "electron": "^39.2.7",
+    "react-router-dom": "^7.12.0"
   },
   "dependencies": {
+    "@bouko/ts": "^0.3.8",
     "path": "^0.12.7"
   }