CSP for all localhost pages

david-asher · Apr 25, 2021 · cda6d2f · cda6d2f
1 parent 24f3421
commit cda6d2f
Show file tree

Hide file tree

Showing 2 changed files with 19 additions and 20 deletions.
diff --git a/lib/webserver.js b/lib/webserver.js
@@ -83,23 +83,6 @@ function _getWebOptions()
     }
 }
 
-function _useStaticFolders( folderList )
-{
-    const folderOptions = {
-        index: false,
-        maxAge: '1d',
-        redirect: false,
-        setHeaders: function (res, path, stat) {
-            res.set( 'Content-Security-Policy', global.ContentSecurityString )
-        }
-    }
-    if ( !Array.isArray( folderList ) ) folderList = [ folderList ]
-    folderList.forEach( (folder) => {
-        const slashFolder = '/' + folder.replace(/^\/+/, '')
-        appserver.use( slashFolder, express.static( process.env.INIT_CWD + slashFolder, folderOptions ) )
-    })
-}
-
 /*
  * This function will start the HTTPS local webserver and configure static document serving.
  * @param {app} mainApp - The Electron main app
@@ -164,8 +147,25 @@ function start( mainApp, staticFolders )
             appserver.use( '/api', _checkOurApp )
             appserver.use( helmet() )
 
-            _useStaticFolders( staticFolders )
+            // set ContentSecurityPolicy header for all local web pages
+            appserver.use((req, res, next) => {
+                res.set( 'Content-Security-Policy', global.ContentSecurityString )
+                next();
+            });
+
+            // set up static web content folders
+            const folderOptions = {
+                index: false,
+                maxAge: '1d',
+                redirect: false,
+            }
+            if ( 'string' == typeof (staticFolders) ) staticFolders = staticFolders.split( /,|;/ )
+            staticFolders.forEach( (folder) => {
+                const slashFolder = '/' + folder.replace(/^\/+/, '')
+                appserver.use( slashFolder, express.static( process.env.INIT_CWD + slashFolder, folderOptions ) )
+            })
 
+            // start the secure web server
             webtls = https.createServer( _getWebOptions(), appserver )
             webtls.listen( global.appConfig.webapp.port, () => {
                 // console.log( "TLS server on port " + webtls.address().port )

diff --git a/lib/windows.js b/lib/windows.js
@@ -66,10 +66,9 @@ class open extends BrowserWindow
 
         if ( !urlOptions ) urlOptions = {}
         if ( global.userAgent && !urlOptions.userAgent ) urlOptions.userAgent = global.userAgent
-    
+
         // now that the window is configured, open it with the URL
         super.loadURL( urlToOpen, urlOptions )
-
     }
 
     /**