Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

[webpack] Add a configuration option to set the CSP header during development

See original GitHub issue

Preflight Checklist

I have read the contribution documentation for this project.
I agree to follow the code of conduct that this project follows, as appropriate.
I have searched the issue tracker for a feature request that matches the one I want to file, without success.

Problem Description

Extracted from #2289:

Webpack property `devtool` default not playing nice with content-security-policy

The new implementation of the devtool-property in the webpack config doesn’t work with the following HTML tag: <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline'"> since that prevents execution from eval that is being run somewhere in the defaults of webpack.

Proposed Solution

Add a top-level Webpack plugin configuration option to customize the CSP header sent by webpack-dev-server.

Alternatives Considered

Again, from #2289:

Manually set devtool: 'source-map' for the renderer process

This isn’t ideal for a couple of reasons:

source-map is slower to generate than eval-source-map (or so I’m told)
This puts the onus on the app developer to know about this Webpack configuration option, and I’d prefer to avoid that.

Additional Information

Please note that app developers still need to set the <meta> tag appropriately, for when the Electron app is bundled and distributed.

This will probably also need documentation on the website.

Issue Analytics

State:
Created 2 years ago
Comments:12 (2 by maintainers)

Top GitHub Comments

29reactions

UnsignedInt8commented, Jul 27, 2021

@malept, FYI, when we upgraded from 6.0.0-beta.57 to 6.0.0-beta.58 our app stopped working in development mode but works in production mode.

It appears that the default CSP headers in production mode allow for making requests to other domains (for example, we do POST requests to www.example.com), but the default CSP headers in development mode don’t allow this.

Add devContentSecurityPolicy to forge.config.js like this:

plugins: [
    [
      '@electron-forge/plugin-webpack',
      {
        devContentSecurityPolicy: `default-src * self blob: data: gap:; style-src * self 'unsafe-inline' blob: data: gap:; script-src * 'self' 'unsafe-eval' 'unsafe-inline' blob: data: gap:; object-src * 'self' blob: data: gap:; img-src * self 'unsafe-inline' blob: data: gap:; connect-src self * 'unsafe-inline' blob: data: gap:; frame-src * self blob: data: gap:;`,
        mainConfig: './webpack.main.config.js',
        renderer: {
          config: './webpack.renderer.config.js',
          entryPoints: [
            {
              html: './src/index.html',
              js: './src/renderer.ts',
              name: 'main_window',
              preload: {
                js: './src/preload.ts',
              },
            },
          ],
        },
      },
    ],
  ]

1reaction

vladkrutenyukcommented, Jul 9, 2022

@malept, FYI, when we upgraded from 6.0.0-beta.57 to 6.0.0-beta.58 our app stopped working in development mode but works in production mode. It appears that the default CSP headers in production mode allow for making requests to other domains (for example, we do POST requests to www.example.com), but the default CSP headers in development mode don’t allow this.

Add devContentSecurityPolicy to forge.config.js like this:
plugins: [
    [
      '@electron-forge/plugin-webpack',
      {
        devContentSecurityPolicy: `default-src * self blob: data: gap:; style-src * self 'unsafe-inline' blob: data: gap:; script-src * 'self' 'unsafe-eval' 'unsafe-inline' blob: data: gap:; object-src * 'self' blob: data: gap:; img-src * self 'unsafe-inline' blob: data: gap:; connect-src self * 'unsafe-inline' blob: data: gap:; frame-src * self blob: data: gap:;`,
        mainConfig: './webpack.main.config.js',
        renderer: {
          config: './webpack.renderer.config.js',
          entryPoints: [
            {
              html: './src/index.html',
              js: './src/renderer.ts',
              name: 'main_window',
              preload: {
                js: './src/preload.ts',
              },
            },
          ],
        },
      },
    ],
  ]

THANK YOU !!! it works))

Top Results From Across the Web

[webpack] Add a configuration option to set the CSP header ...

It appears that the default CSP headers in production mode allow for making requests to other domains (for example, we do POST requests...

Content Security Policies - webpack

Enabling CSP Here's an example of what a CSP header including a CDN white-listed URL might look like: Content-Security-Policy: default-src 'self'; script-src ' ......

Content Security Policies - Webpack 5 - W3cubDocs

Webpack is capable of adding nonce to all scripts that it loads. To activate the feature set a __webpack_nonce__ variable needs to be...

Content Security Policy: How to create an Iron-Clad nonce ...

In this Article, I will provide a step by step process on how to implement a CSP3 compliant strict-dynamic CSP policy and properly...

Content Security Policies - webpack 3 documentation

Webpack is capable of adding nonce to all scripts that it loads. ... A corresponding header Content-Security-Policy or meta tag <meta ...