From ec0d26ae4e8590c60dc2fc31c251c9b5c39e4bd4 Mon Sep 17 00:00:00 2001
From: Rajat Parashar <parasharrajat@users.noreply.github.com>
Date: Wed, 6 Jul 2022 11:04:33 +0530
Subject: [PATCH] Fix CSP for statement frames on Desktop

---
 desktop/main.js | 24 +++++++++++++-----------
 1 file changed, 13 insertions(+), 11 deletions(-)

diff --git a/desktop/main.js b/desktop/main.js
index 05361d0b2fdb..879d60f78d76 100644
--- a/desktop/main.js
+++ b/desktop/main.js
@@ -47,6 +47,7 @@ _.assign(console, log.functions);
 // until it detects that it has been upgraded to the correct version.
 
 const EXPECTED_UPDATE_VERSION_FLAG = '--expected-update-version';
+const APP_DOMAIN = __DEV__ ? `http://localhost:${port}` : 'app://*';
 
 let expectedUpdateVersion;
 for (let i = 0; i < process.argv.length; i++) {
@@ -159,18 +160,19 @@ const mainWindow = (() => {
                     details.requestHeaders.referer = CONFIG.EXPENSIFY.URL_EXPENSIFY_CASH;
                     callback({requestHeaders: details.requestHeaders});
                 });
-
-                // Modify access-control-allow-origin header for the response
-                webRequest.onHeadersReceived(validDestinationFilters, (details, callback) => {
-                    details.responseHeaders['access-control-allow-origin'] = ['app://-'];
-                    callback({responseHeaders: details.responseHeaders});
-                });
-            } else {
-                webRequest.onHeadersReceived(validDestinationFilters, (details, callback) => {
-                    details.responseHeaders['access-control-allow-origin'] = [`http://localhost:${process.env.PORT}`];
-                    callback({responseHeaders: details.responseHeaders});
-                });
             }
+
+            // Modify access-control-allow-origin header and CSP for the response
+            webRequest.onHeadersReceived(validDestinationFilters, (details, callback) => {
+                details.responseHeaders['access-control-allow-origin'] = [APP_DOMAIN];
+                if (details.responseHeaders['content-security-policy']) {
+                    details.responseHeaders['content-security-policy'] = _.map(
+                        details.responseHeaders['content-security-policy'],
+                        value => (value.startsWith('frame-ancestors') ? `${value} ${APP_DOMAIN}` : value),
+                    );
+                }
+                callback({responseHeaders: details.responseHeaders});
+            });
             /* eslint-enable */
 
             // Prod and staging overwrite the app name in the electron-builder config, so only update it here for dev