From 69f336a8fbd7039d3043fbdebd9575f59b4b3304 Mon Sep 17 00:00:00 2001
From: Thomas Weber <muffin@muffin.ink>
Date: Fri, 20 Dec 2024 16:59:39 -0600
Subject: [PATCH] Switch to protocol-level Content-Security-Policy for most
 windows

The header is stronger than the tag.
Ensures extension documentation pages get a CSP.
---
 src-main/protocols.js                         | 41 ++++++++++++-------
 src-renderer/about/about.html                 |  1 -
 .../desktop-settings/desktop-settings.html    |  1 -
 src-renderer/file-access/file-access.html     |  1 -
 src-renderer/privacy/privacy.html             |  1 -
 .../security-prompt/security-prompt.html      |  1 -
 src-renderer/update/update.html               |  1 -
 7 files changed, 27 insertions(+), 20 deletions(-)

diff --git a/src-main/protocols.js b/src-main/protocols.js
index 47cb5556..1bb2d539 100644
--- a/src-main/protocols.js
+++ b/src-main/protocols.js
@@ -8,13 +8,14 @@ const packageJSON = require('../package.json');
 /**
  * @typedef Metadata
  * @property {string} root
- * @property {boolean} [standard]
- * @property {boolean} [supportFetch]
- * @property {boolean} [secure]
- * @property {boolean} [brotli]
- * @property {boolean} [embeddable]
- * @property {boolean} [stream]
- * @property {string} [index]
+ * @property {boolean} [standard] Defaults to false
+ * @property {boolean} [supportFetch] Defaults to false
+ * @property {boolean} [secure] Defaults to false
+ * @property {boolean} [brotli] Defaults to false
+ * @property {boolean} [embeddable] Defaults to false
+ * @property {boolean} [stream] Defaults to false
+ * @property {string} [index] Defaults to none
+ * @property {string} [csp] Defaults to none
  */
 
 /** @type {Record<string, Metadata>} */
@@ -27,13 +28,16 @@ const FILE_SCHEMES = {
     embeddable: true, // migration helper
   },
   'tw-desktop-settings': {
-    root: path.resolve(__dirname, '../src-renderer/desktop-settings')
+    root: path.resolve(__dirname, '../src-renderer/desktop-settings'),
+    csp: "default-src 'none'; style-src 'unsafe-inline'; script-src 'unsafe-inline'"
   },
   'tw-privacy': {
-    root: path.resolve(__dirname, '../src-renderer/privacy')
+    root: path.resolve(__dirname, '../src-renderer/privacy'),
+    csp: "default-src 'none'; style-src 'unsafe-inline'; script-src 'unsafe-inline'"
   },
   'tw-about': {
-    root: path.resolve(__dirname, '../src-renderer/about')
+    root: path.resolve(__dirname, '../src-renderer/about'),
+    csp: "default-src 'none'; style-src 'unsafe-inline'; script-src 'unsafe-inline'"
   },
   'tw-packager': {
     root: path.resolve(__dirname, '../src-renderer/packager'),
@@ -44,23 +48,28 @@ const FILE_SCHEMES = {
   'tw-library': {
     root: path.resolve(__dirname, '../dist-library-files'),
     supportFetch: true,
-    brotli: true
+    brotli: true,
+    csp: "default-src 'none';"
   },
   'tw-extensions': {
     root: path.resolve(__dirname, '../dist-extensions'),
     supportFetch: true,
     embeddable: true,
     stream: true,
-    index: '.html'
+    index: '.html',
+    csp: "default-src 'none'; img-src 'self' data:; style-src 'unsafe-inline'; script-src 'self' 'unsafe-inline'"
   },
   'tw-update': {
     root: path.resolve(__dirname, '../src-renderer/update'),
+    csp: "default-src 'none'; style-src 'unsafe-inline'; script-src 'unsafe-inline'; connect-src https://desktop.turbowarp.org"
   },
   'tw-security-prompt': {
     root: path.resolve(__dirname, '../src-renderer/security-prompt'),
+    csp: "default-src 'none'; style-src 'unsafe-inline'; script-src 'unsafe-inline';"
   },
   'tw-file-access': {
     root: path.resolve(__dirname, '../src-renderer/file-access'),
+    csp: "default-src 'none'; style-src 'unsafe-inline'; script-src 'unsafe-inline'"
   }
 };
 
@@ -159,11 +168,15 @@ const errorPageHeaders = {
  */
 const getBaseProtocolHeaders = metadata => {
   const result = {
-    // Make sure the browser always trusts our content-type
-    // (probably does not do anything here)
+    // Make sure Chromium always trusts our content-type and doesn't try anything clever
     'x-content-type-options': 'nosniff'
   };
 
+  // Optional Content-Security-Policy
+  if (metadata.csp) {
+    result['content-security-policy'] = metadata.csp;
+  }
+
   // Don't allow things like extensiosn to embed custom protocols
   if (!metadata.embeddable) {
     result['x-frame-options'] = 'DENY';
diff --git a/src-renderer/about/about.html b/src-renderer/about/about.html
index c4a2b727..2ad66b97 100644
--- a/src-renderer/about/about.html
+++ b/src-renderer/about/about.html
@@ -2,7 +2,6 @@
 <html lang="en">
   <head>
     <meta charset="utf-8">
-    <meta http-equiv="Content-Security-Policy" content="default-src 'none'; style-src 'unsafe-inline'; script-src 'unsafe-inline'">
     <style>
       body {
         margin: 0;
diff --git a/src-renderer/desktop-settings/desktop-settings.html b/src-renderer/desktop-settings/desktop-settings.html
index 2b8f0fea..db77e6af 100644
--- a/src-renderer/desktop-settings/desktop-settings.html
+++ b/src-renderer/desktop-settings/desktop-settings.html
@@ -2,7 +2,6 @@
 <html>
   <head>
     <meta charset="utf-8">
-    <meta http-equiv="Content-Security-Policy" content="default-src 'none'; style-src 'unsafe-inline'; script-src 'unsafe-inline'">
     <style>
       body {
         margin: 0;
diff --git a/src-renderer/file-access/file-access.html b/src-renderer/file-access/file-access.html
index dd35d02e..6241b919 100644
--- a/src-renderer/file-access/file-access.html
+++ b/src-renderer/file-access/file-access.html
@@ -2,7 +2,6 @@
 <html>
   <head>
     <meta charset="utf-8">
-    <meta http-equiv="Content-Security-Policy" content="default-src 'none'; style-src 'unsafe-inline'; script-src 'unsafe-inline'">
     <style>
       body {
         margin: 0;
diff --git a/src-renderer/privacy/privacy.html b/src-renderer/privacy/privacy.html
index 54880553..430dad58 100644
--- a/src-renderer/privacy/privacy.html
+++ b/src-renderer/privacy/privacy.html
@@ -2,7 +2,6 @@
 <html lang="en">
   <head>
     <meta charset="utf-8">
-    <meta http-equiv="Content-Security-Policy" content="default-src 'none'; style-src 'unsafe-inline'; script-src 'unsafe-inline';">
     <style>
       body {
         margin: 0;
diff --git a/src-renderer/security-prompt/security-prompt.html b/src-renderer/security-prompt/security-prompt.html
index d5560d29..6650a741 100644
--- a/src-renderer/security-prompt/security-prompt.html
+++ b/src-renderer/security-prompt/security-prompt.html
@@ -2,7 +2,6 @@
 <html>
   <head>
     <meta charset="utf-8">
-    <meta http-equiv="Content-Security-Policy" content="default-src 'none'; style-src 'unsafe-inline'; script-src 'unsafe-inline';">
     <style>
       :root {
         font-family: "Helvetica Neue", Helvetica, Arial, sans-serif;
diff --git a/src-renderer/update/update.html b/src-renderer/update/update.html
index 7b3663e8..b513441e 100644
--- a/src-renderer/update/update.html
+++ b/src-renderer/update/update.html
@@ -2,7 +2,6 @@
 <html>
   <head>
     <meta charset="utf-8">
-    <meta http-equiv="Content-Security-Policy" content="default-src 'none'; style-src 'unsafe-inline'; script-src 'unsafe-inline'; connect-src https://desktop.turbowarp.org">
     <style>
       body {
         margin: 0;