Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

allows external style sheets by allowing https #56

Merged
merged 2 commits into from
Aug 1, 2018
Merged

allows external style sheets by allowing https #56

merged 2 commits into from
Aug 1, 2018

Conversation

Pierce01
Copy link
Contributor

No description provided.

gist-output added a commit to gist-output/BeautifulDiscord that referenced this pull request Jul 18, 2018
@gist-output
Update app.py
d442557 
leovoel#56
@Pierce01
Copy link
Contributor Author

Pierce01 commented Jul 18, 2018
edited
Loading

alternatively we could use the following if we wanted the CSP for the most part.

require("electron").session.defaultSession.webRequest.onHeadersReceived(function(details, callback) {
	if (!details.responseHeaders["content-security-policy"]) return callback({cancel: false});
	var headers = details.responseHeaders["content-security-policy"][0].split(';');
	
	for(var header in headers) {
		switch(header) {
			case header.startsWith('style-src'): {
				header = "style-src * 'unsafe-inline' *"
			}
			case header.startsWith('img-src'): {
				header = "img-src *"
			}
		}
	}
	
    var newInfo = "";
    for(var key in headers) {
        newInfo+=`${key};`
    }
    details.responseHeaders["content-security-policy"][0] = newInfo;

    callback({cancel:false, responseHeaders: details.responseHeaders})
});

module.exports = require('./core.asar');

@Rapptz
Copy link
Collaborator

Rapptz commented Jul 20, 2018

I don't see the point of this actually considering that CSS injection still works even after the CSP headers unless they've changed that recently?

@shikhir-arora
Copy link

They did change it on Canary - they may have reverted it though. It blocks on CSP for unsafe-inline and records the violation to Sentry. I actually noticed this more than a month ago, but it didn't do anything but throw a warning.

They made the change today public and announced it in the testers guild, though I'm not sure if they reverted it as they said they would be for some changes. Either way, the code here does fix it. The loading happens right at the start, so nothing is loaded. It spawns a lot of annoying errors over CSS and ignoring CSP headers handles that.

@Pierce01
Copy link
Contributor Author

Pierce01 commented Jul 21, 2018
edited
Loading

Hasn't reverted it to my knowledge, so imported style-sheets and images would still get blocked by the new policy on canary

@Pierce01 Pierce01 changed the title allows external style sheets by removing CSP allows external style sheets by allowing https Jul 26, 2018
@Pierce01
Copy link
Contributor Author

as the new title says, this allows style sheets, images, fonts, etc to be loaded that are secure

@AlexFlipnote
Copy link
Contributor

Due to this unsafe-inline, I've had to upload the images I want to use in a hidden channel in order to achieve the same URL as discordapp.com, just keeping that as a note.

Image

@leovoel leovoel merged commit d38b383 into leovoel:master Aug 1, 2018
@leovoel
Copy link
Owner

leovoel commented Aug 1, 2018

thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Rapptz Rapptz Rapptz approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@Pierce01 @Rapptz @shikhir-arora @AlexFlipnote @leovoel