From cda6d2fb6319fe4f1915dee73f825b024f713767 Mon Sep 17 00:00:00 2001
From: David Asher <dasher@computer.org>
Date: Sun, 25 Apr 2021 12:52:27 -0400
Subject: [PATCH] CSP for all localhost pages

---
 lib/webserver.js | 36 ++++++++++++++++++------------------
 lib/windows.js   |  3 +--
 2 files changed, 19 insertions(+), 20 deletions(-)

diff --git a/lib/webserver.js b/lib/webserver.js
index b2fb33e..ee4f717 100644
--- a/lib/webserver.js
+++ b/lib/webserver.js
@@ -83,23 +83,6 @@ function _getWebOptions()
     }
 }
 
-function _useStaticFolders( folderList )
-{
-    const folderOptions = {
-        index: false,
-        maxAge: '1d',
-        redirect: false,
-        setHeaders: function (res, path, stat) {
-            res.set( 'Content-Security-Policy', global.ContentSecurityString )
-        }
-    }
-    if ( !Array.isArray( folderList ) ) folderList = [ folderList ]
-    folderList.forEach( (folder) => {
-        const slashFolder = '/' + folder.replace(/^\/+/, '')
-        appserver.use( slashFolder, express.static( process.env.INIT_CWD + slashFolder, folderOptions ) )
-    })
-}
-
 /*
  * This function will start the HTTPS local webserver and configure static document serving.
  * @param {app} mainApp - The Electron main app
@@ -164,8 +147,25 @@ function start( mainApp, staticFolders )
             appserver.use( '/api', _checkOurApp )
             appserver.use( helmet() )
             
-            _useStaticFolders( staticFolders )
+            // set ContentSecurityPolicy header for all local web pages
+            appserver.use((req, res, next) => {
+                res.set( 'Content-Security-Policy', global.ContentSecurityString )
+                next();
+            });
+
+            // set up static web content folders
+            const folderOptions = {
+                index: false,
+                maxAge: '1d',
+                redirect: false,
+            }
+            if ( 'string' == typeof (staticFolders) ) staticFolders = staticFolders.split( /,|;/ )
+            staticFolders.forEach( (folder) => {
+                const slashFolder = '/' + folder.replace(/^\/+/, '')
+                appserver.use( slashFolder, express.static( process.env.INIT_CWD + slashFolder, folderOptions ) )
+            })
 
+            // start the secure web server
             webtls = https.createServer( _getWebOptions(), appserver )
             webtls.listen( global.appConfig.webapp.port, () => {
                 // console.log( "TLS server on port " + webtls.address().port )
diff --git a/lib/windows.js b/lib/windows.js
index 88e3903..2e6b105 100644
--- a/lib/windows.js
+++ b/lib/windows.js
@@ -66,10 +66,9 @@ class open extends BrowserWindow
 
         if ( !urlOptions ) urlOptions = {}
         if ( global.userAgent && !urlOptions.userAgent ) urlOptions.userAgent = global.userAgent
-    
+  
         // now that the window is configured, open it with the URL
         super.loadURL( urlToOpen, urlOptions )
-
     }
 
     /**