fix: allow runtime stylesheet injection
This commit is contained in:
@@ -32,7 +32,7 @@
|
||||
"script-src": "'self' https://us.i.posthog.com https://eu.i.posthog.com https://us-assets.i.posthog.com https://eu-assets.i.posthog.com",
|
||||
"connect-src": "'self' ipc: http://ipc.localhost ws://localhost:9710 ws://127.0.0.1:9710 ws://localhost:9711 ws://127.0.0.1:9711 https:",
|
||||
"img-src": "'self' asset: http://asset.localhost data: blob: https:",
|
||||
"style-src": "'self' 'unsafe-inline' 'nonce-tolaria-codemirror-style' https://fonts.googleapis.com",
|
||||
"style-src": "'self' 'unsafe-inline' https://fonts.googleapis.com",
|
||||
"font-src": "'self' data: https://fonts.gstatic.com",
|
||||
"media-src": "'self' data: blob: https:",
|
||||
"object-src": "'none'"
|
||||
|
||||
@@ -1,6 +1,6 @@
|
||||
import { describe, it, expect, vi, beforeEach, afterEach } from 'vitest'
|
||||
import { renderHook, act } from '@testing-library/react'
|
||||
import { CODEMIRROR_CSP_NONCE, useCodeMirror, type CodeMirrorCallbacks } from './useCodeMirror'
|
||||
import { useCodeMirror, type CodeMirrorCallbacks } from './useCodeMirror'
|
||||
|
||||
const noop = () => {}
|
||||
const noopCallbacks: CodeMirrorCallbacks = {
|
||||
@@ -31,14 +31,6 @@ describe('useCodeMirror', () => {
|
||||
expect(container.querySelector('.cm-editor')).toBeInTheDocument()
|
||||
})
|
||||
|
||||
it('mounts CodeMirror generated styles with the configured CSP nonce', () => {
|
||||
const ref = { current: container }
|
||||
renderHook(() => useCodeMirror(ref, 'hello', noopCallbacks))
|
||||
|
||||
const style = document.head.querySelector(`style[nonce="${CODEMIRROR_CSP_NONCE}"]`)
|
||||
expect(style?.textContent).toContain('.cm-scroller')
|
||||
})
|
||||
|
||||
it('calls requestMeasure when laputa-zoom-change event fires', () => {
|
||||
const ref = { current: container }
|
||||
const { result } = renderHook(() =>
|
||||
|
||||
@@ -16,8 +16,6 @@ const RAW_EDITOR_COLORS = {
|
||||
gutterBorder: 'var(--border-subtle)',
|
||||
gutterText: 'var(--text-muted)',
|
||||
}
|
||||
export const CODEMIRROR_CSP_NONCE = 'tolaria-codemirror-style'
|
||||
|
||||
export interface CodeMirrorCallbacks {
|
||||
onDocChange: (doc: string) => void
|
||||
onCursorActivity: (view: EditorView) => void
|
||||
@@ -145,7 +143,6 @@ export function useCodeMirror(
|
||||
buildArrowLigaturesExtension(),
|
||||
keymap.of([...defaultKeymap, ...historyKeymap]),
|
||||
buildSaveKeymap(callbacksRef),
|
||||
EditorView.cspNonce.of(CODEMIRROR_CSP_NONCE),
|
||||
buildBaseTheme(),
|
||||
markdownLanguage(),
|
||||
frontmatterHighlightTheme(),
|
||||
|
||||
11
src/utils/tauriCsp.test.ts
Normal file
11
src/utils/tauriCsp.test.ts
Normal file
@@ -0,0 +1,11 @@
|
||||
import { readFileSync } from 'node:fs'
|
||||
|
||||
describe('Tauri Content Security Policy', () => {
|
||||
it('keeps broad inline styles available when runtime libraries inject style tags', () => {
|
||||
const config = JSON.parse(readFileSync(`${process.cwd()}/src-tauri/tauri.conf.json`, 'utf8'))
|
||||
const styleSrc = config.app.security.csp['style-src'] as string
|
||||
|
||||
expect(styleSrc).toContain("'unsafe-inline'")
|
||||
expect(styleSrc).not.toMatch(/'nonce-|sha(256|384|512)-/)
|
||||
})
|
||||
})
|
||||
Reference in New Issue
Block a user