notnite.com / moonlight
this repo has no description
fork atom

Add support for extensions extending the Content-Security-Policy header (#202)

Maxine 4f38e7b4 00037f6d

options
unified split
Changed files
+25 -2
packages
injector
src
index.ts
types
src
extension.ts
+19 -2
packages/injector/src/index.ts 
···

       
76

       
 

       
  blockedUrls = compiled;


     

       
77

       
 

       
});


     

       
78

       
 

       



     

       
79

       
-

       
function patchCsp(headers: Record<string, string[]>) {


     

       
80

       
 

       
  const directives = ["script-src", "style-src", "connect-src", "img-src", "font-src", "media-src", "worker-src"];


     

       
81

       
 

       
  const values = ["*", "blob:", "data:", "'unsafe-inline'", "'unsafe-eval'", "disclip:"];


     

       
82

       
 

       



     
···

       
97

       
 

       
    parts[directive] = values;


     

       
98

       
 

       
  }


     

       
99

       
 

       



     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       
100

       
 

       
  const stringified = Object.entries<string[]>(parts)


     

       
101

       
 

       
    .map(([key, value]) => {


     

       
102

       
 

       
      return `${key} ${value.join(" ")}`;


     
···

       
122

       
 

       
    // Event for when a window is created


     

       
123

       
 

       
    moonlightHost.events.emit("window-created", this, isMainWindow);


     

       
124

       
 

       



     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       
125

       
 

       
    this.webContents.session.webRequest.onHeadersReceived((details, cb) => {


     

       
126

       
 

       
      if (details.responseHeaders != null) {


     

       
127

       
 

       
        // Patch CSP so things can use externally hosted assets


     

       
128

       
 

       
        if (details.resourceType === "mainFrame") {


     

       
129

       
-

       
          patchCsp(details.responseHeaders);


     

       
130

       
 

       
        }


     

       
131

       
 

       



     

       
132

       
 

       
        // Allow plugins to bypass CORS for specific URLs


     
···

       
76

       
 

       
  blockedUrls = compiled;


     

       
77

       
 

       
});


     

       
78

       
 

       



     

       
79

       
+

       
function patchCsp(headers: Record<string, string[]>, extensionCspOverrides: Record<string, string[]>) {


     

       
80

       
 

       
  const directives = ["script-src", "style-src", "connect-src", "img-src", "font-src", "media-src", "worker-src"];


     

       
81

       
 

       
  const values = ["*", "blob:", "data:", "'unsafe-inline'", "'unsafe-eval'", "disclip:"];


     

       
82

       
 

       



     
···

       
97

       
 

       
    parts[directive] = values;


     

       
98

       
 

       
  }


     

       
99

       
 

       



     

       
100

       
+

       
  for (const [directive, urls] of Object.entries(extensionCspOverrides)) {


     

       
101

       
+

       
    parts[directive] ??= [];


     

       
102

       
+

       
    parts[directive].push(...urls);


     

       
103

       
+

       
  }


     

       
104

       
+

       



     

       
105

       
 

       
  const stringified = Object.entries<string[]>(parts)


     

       
106

       
 

       
    .map(([key, value]) => {


     

       
107

       
 

       
      return `${key} ${value.join(" ")}`;


     
···

       
127

       
 

       
    // Event for when a window is created


     

       
128

       
 

       
    moonlightHost.events.emit("window-created", this, isMainWindow);


     

       
129

       
 

       



     

       
130

       
+

       
    const extensionCspOverrides: Record<string, string[]> = {};


     

       
131

       
+

       



     

       
132

       
+

       
    {


     

       
133

       
+

       
      const extCsps = moonlightHost.processedExtensions.extensions.map((x) => x.manifest.csp ?? {});


     

       
134

       
+

       
      for (const csp of extCsps) {


     

       
135

       
+

       
        for (const [directive, urls] of Object.entries(csp)) {


     

       
136

       
+

       
          extensionCspOverrides[directive] ??= [];


     

       
137

       
+

       
          extensionCspOverrides[directive].push(...urls);


     

       
138

       
+

       
        }


     

       
139

       
+

       
      }


     

       
140

       
+

       
    }


     

       
141

       
+

       



     

       
142

       
 

       
    this.webContents.session.webRequest.onHeadersReceived((details, cb) => {


     

       
143

       
 

       
      if (details.responseHeaders != null) {


     

       
144

       
 

       
        // Patch CSP so things can use externally hosted assets


     

       
145

       
 

       
        if (details.resourceType === "mainFrame") {


     

       
146

       
+

       
          patchCsp(details.responseHeaders, extensionCspOverrides);


     

       
147

       
 

       
        }


     

       
148

       
 

       



     

       
149

       
 

       
        // Allow plugins to bypass CORS for specific URLs
+6
packages/types/src/extension.ts 
···

       
135

       
 

       
   * @example https://moonlight-mod.github.io/


     

       
136

       
 

       
   */


     

       
137

       
 

       
  blocked?: string[];


     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       
138

       
 

       
};


     

       
139

       
 

       



     

       
140

       
 

       
export enum ExtensionEnvironment {


     
···

       
135

       
 

       
   * @example https://moonlight-mod.github.io/


     

       
136

       
 

       
   */


     

       
137

       
 

       
  blocked?: string[];


     

       
138

       
+

       



     

       
139

       
+

       
  /**


     

       
140

       
+

       
   * A mapping from CSP directives to URLs to allow.


     

       
141

       
+

       
   * @example { "script-src": ["https://example.com"] }


     

       
142

       
+

       
   */


     

       
143

       
+

       
  csp?: Record<string, string[]>;


     

       
144

       
 

       
};


     

       
145

       
 

       



     

       
146

       
 

       
export enum ExtensionEnvironment {