@stlite/desktop 0.21.1 → 0.21.3

package/README.md

@@ -1 +1,60 @@
 # `@stlite/desktop`
+
+Convert your [Streamlit](https://streamlit.io/) application into a desktop app with [stlite](https://github.com/whitphx/stlite) runtime, a [Pyodide](https://pyodide.org/)-based Wasm-port of Streamlit.
+
+## How to create a Streamlit desktop app
+
+1. Create the following `package.json` file to start a new NPM project. Edit the `name` field.
+   ```json
+   {
+     "name": "xxx",
+     "version": "0.1.0",
+     "main": "./build/electron/main.js",
+     "scripts": {
+       "dump": "dump-stlite-desktop-artifacts",
+       "serve": "NODE_ENV=\"production\" electron .",
+       "pack": "electron-builder --dir",
+       "dist": "electron-builder",
+       "postinstall": "electron-builder install-app-deps"
+     },
+     "build": {
+       "files": ["build/**/*"],
+       "directories": {
+         "buildResources": "assets"
+       }
+     },
+     "devDependencies": {
+       "@stlite/desktop": "^0.21.0",
+       "electron": "^22.0.0",
+       "electron-builder": "^23.6.0"
+     }
+   }
+   ```
+2. Run `npm install` or `yarn install`.
+3. Create `streamlit_app` directory.
+   - Any directory name can be used here.
+4. Create `streamlit_app/streamlit_app.py`.
+   - Change the directory name if you used a different name in the previous step.
+5. Write your Streamlit app code in `streamlit_app/streamlit_app.py`.
+   - The file name `streamlit_app.py` is not configurable now.
+6. Optionally, you can add more contents in the directory, including `pages/*.py` for multi-page apps, any data files, and so on.
+7. Run `npm run dump streamlit_app` or `yarn dump streamlit_app`. The command argument `streamlit_app` is the directory name of the Streamlit app you have created in the previous steps. Change it if you used a different name.
+   - If installing some packages is needed, pass the package names following the directory name like `npm run dump streamlit_app <PackageName1> ... <PackageNameN>`.
+   - The `-r` option like the `pip` command is also available to specify the text files listing the package names to install like `npm run dump streamlit_app -- -r requirements.txt` (NPM) or `yarn dump streamlit_app -r requirements.txt` (Yarn). Note that if you are using NPM, you need to add `--` before options such as `-r` in the `run` command ([ref](https://stackoverflow.com/questions/43046885/what-does-do-when-running-an-npm-command)).
+   - This `dump` command creates `./build` directory. It includes
+     - The stlite bare app files.
+     - `streamlit_app` directory copied from the one you created in the previous steps.
+     - `site-packages-snapshot.tar.gz` that includes the installed package files.
+8. Run `npm run serve` or `yarn serve` for preview.
+   - This command is just a wrapper of `electron` command as you can see at the `"scripts"` field in the `package.json`. It launches Electron and starts the app with `./build/electron/main.js`, which is specified at the `"main"` field in the `package.json`.
+9. Run `npm run dist` or `yarn dist` for packaging.
+   - This command bundles the `./build` directory created in the step above into application files (`.app`, `.exe`, `.dmg` etc.) in the `./dist` directory. To customize the built app, e.g. setting the icon, follow the [`electron-builder`](https://www.electron.build/) instructions.
+
+## Use the latest version of Electron
+
+To make your app secure, be sure to use the latest version of Electron.
+This is [announced](https://www.electronjs.org/docs/latest/tutorial/security#16-use-a-current-version-of-electron) as one of the security best practices in the Electron document too.
+
+## Limitations
+
+- Navigation to external resources like `st.markdown("[link](https://streamlit.io/)")` does not work for security. See https://github.com/whitphx/stlite/pull/445 and let us know if you have use cases where you have to use such external links.

package/build/electron/main.js

@@ -18,31 +18,48 @@ const createWindow = () => {
         height: 720,
         webPreferences: {
             preload: path.join(__dirname, "preload.js"),
+            sandbox: true, // https://www.electronjs.org/docs/latest/tutorial/security#4-enable-process-sandboxing
         },
     });
+    const indexUrl = electron_1.app.isPackaged || process.env.NODE_ENV === "production"
+        ? "file:///index.html"
+        : "http://localhost:3000/";
+    // Check the IPC sender in every callback below,
+    // following the security best practice, "17. Validate the sender of all IPC messages."
+    // https://www.electronjs.org/docs/latest/tutorial/security#17-validate-the-sender-of-all-ipc-messages
+    const isValidIpcSender = (frame) => {
+        return frame.url === indexUrl;
+    };
     electron_1.ipcMain.handle("readSitePackagesSnapshot", (ev) => {
+        if (!isValidIpcSender(ev.senderFrame)) {
+            throw new Error("Invalid IPC sender");
+        }
         // This archive file has to be created by ./bin/dump_snapshot.ts
         const archiveFilePath = path.resolve(__dirname, "../site-packages-snapshot.tar.gz");
         return fsPromises.readFile(archiveFilePath);
     });
     electron_1.ipcMain.handle("readStreamlitAppDirectory", async (ev) => {
+        if (!isValidIpcSender(ev.senderFrame)) {
+            throw new Error("Invalid IPC sender");
+        }
         const streamlitAppDir = path.resolve(__dirname, "../streamlit_app");
         return (0, file_1.walkRead)(streamlitAppDir);
     });
-    if (electron_1.app.isPackaged || process.env.NODE_ENV === "production") {
-        // Use .loadURL() with an absolute URL based on "/" instead of .loadFile()
-        // because absolute URLs with the file:// scheme will be resolved
-        // to absolute file paths based on the special handler
-        // registered through `interceptFileProtocol` below.
-        mainWindow.loadURL("file:///index.html");
-    }
-    else {
-        mainWindow.loadURL("http://localhost:3000");
-    }
+    // Even when the entrypoint is a local file like the production build,
+    // we use .loadURL() with an absolute URL with the `file://` schema
+    // instead of passing a file path to .loadFile()
+    // because absolute URLs with the file:// scheme will be resolved
+    // to absolute file paths based on the special handler
+    // registered through `interceptFileProtocol` below.
+    mainWindow.loadURL(indexUrl);
     if (!electron_1.app.isPackaged) {
         mainWindow.webContents.openDevTools();
     }
 };
+// Enable process sandboxing globally (https://www.electronjs.org/docs/latest/tutorial/sandbox#enabling-the-sandbox-globally),
+// following the security best practice, "4. Enable process sandboxing."
+// https://www.electronjs.org/docs/latest/tutorial/security#4-enable-process-sandboxing
+electron_1.app.enableSandbox();
 // This method will be called when Electron has finished
 // initialization and is ready to create browser windows.
 // Some APIs can only be used after this event occurs.
@@ -77,3 +94,36 @@ electron_1.app.on("window-all-closed", () => {
     if (process.platform !== "darwin")
         electron_1.app.quit();
 });
+electron_1.app.on("web-contents-created", (event, contents) => {
+    // Intercepts webView creation events and forbid all,
+    // following the security best practice, "12. Verify WebView options before creation."
+    // https://www.electronjs.org/docs/latest/tutorial/security#12-verify-webview-options-before-creation
+    contents.on("will-attach-webview", (event, webPreferences, params) => {
+        // Cancels all webView creation request
+        event.preventDefault();
+    });
+    // Intercepts navigation and forbid all,
+    // following the security best practice, "13. Disable or limit navigation."
+    // https://www.electronjs.org/docs/latest/tutorial/security#13-disable-or-limit-navigation
+    contents.on("will-navigate", (event, navigationUrl) => {
+        console.debug("will-navigate", navigationUrl);
+        event.preventDefault();
+    });
+    // Limit new windows creation,
+    // following the security best practice, "14. Disable or limit creation of new windows."
+    // https://www.electronjs.org/docs/latest/tutorial/security#14-disable-or-limit-creation-of-new-windows
+    contents.setWindowOpenHandler(({ url }) => {
+        console.error("Opening a new window is not allowed.");
+        // TODO: Implement `isSafeForExternalOpen()` below with a configurable allowed list.
+        // We'll ask the operating system
+        // to open this event's url in the default browser.
+        // DON'T pass an arbitrary URL to `shell.openExternal()` here
+        // as advised at "15. Do not use shell.openExternal with untrusted content."
+        // if (isSafeForExternalOpen(url)) {
+        //   setImmediate(() => {
+        //     shell.openExternal(url)
+        //   })
+        // }
+        return { action: "deny" };
+    });
+});

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@stlite/desktop",
-  "version": "0.21.1",
+  "version": "0.21.3",
   "license": "Apache-2.0",
   "homepage": "/",
   "main": "./build/electron/main.js",
@@ -57,8 +57,8 @@
   },
   "devDependencies": {
     "@craco/craco": "^6.1.2",
-    "@stlite/common": "^0.21.1",
-    "@stlite/kernel": "^0.21.1",
+    "@stlite/common": "^0.21.3",
+    "@stlite/kernel": "^0.21.3",
     "@testing-library/react": "^11.2.7",
     "@testing-library/user-event": "^13.1.9",
     "@types/jest": "^26.0.19",
@@ -66,8 +66,8 @@
     "@types/react": "^17.0.7",
     "@types/react-dom": "^17.0.5",
     "@types/yargs": "^17.0.13",
-    "electron": "20.2.0",
-    "electron-builder": "^23.3.3",
+    "electron": "^22.0.0",
+    "electron-builder": "^23.6.0",
     "electron-reload": "^2.0.0-alpha.1",
     "esbuild": "^0.16.6",
     "raw-loader": "^4.0.2",