[electron] Enable WebSecurity (#3500)

decred · Jun 10, 2021 · f448243 · f448243
1 parent d9d358a
commit f448243
Show file tree

Hide file tree

Showing 2 changed files with 27 additions and 18 deletions.
diff --git a/app/main.development.js b/app/main.development.js
@@ -1,5 +1,4 @@
 import fs from "fs-extra";
-import os from "os";
 import path from "path";
 import parseArgs from "minimist";
 import { app, BrowserWindow, Menu, dialog } from "electron";
@@ -673,10 +672,6 @@ app.on("ready", async () => {
     url = `http://localhost:${port}/dist/app.html`;
   }
 
-  // enable remote module on windows, as decrediton will crash, otherwise, but
-  // avoid it on other systems, as electron is moving away from it.
-  const enableRemoteModule = os.platform() == "win32" ? true : false;
-
   let windowOpts = {
     show: false,
     minWidth: 350,
@@ -687,8 +682,8 @@ app.on("ready", async () => {
       nodeIntegration: false,
       devTools: true,
       contextIsolation: true,
-      webSecurity: false,
-      enableRemoteModule,
+      webSecurity: true,
+      enableRemoteModule: false,
       preload: preloadPath
     },
     icon: __dirname + "/icon.png"

diff --git a/app/main_dev/externalRequests.js b/app/main_dev/externalRequests.js
@@ -96,10 +96,11 @@ export const installSessionHandlers = (mainLogger) => {
 
   session.defaultSession.webRequest.onHeadersReceived((details, callback) => {
     const newHeaders = { ...details.responseHeaders };
+    let statusLine = details.statusLine;
 
-    if (/app\.html$/.test(details.url)) {
-      const isDev = process.env.NODE_ENV === "development";
+    const isDev = process.env.NODE_ENV === "development";
 
+    if (/app\.html$/.test(details.url)) {
       // Allow unsafe-eval in dev mode due to react-devtools requiring it.
       const defaultSrc = isDev ? "'self' 'unsafe-eval'" : "'self'";
 
@@ -121,18 +122,31 @@ export const installSessionHandlers = (mainLogger) => {
         `connect-src ${connectSrc}; `;
     }
 
-    if (
-      process.env.NODE_ENV === "development" &&
-      allowedExternalRequests[EXTERNALREQUEST_TREZOR_BRIDGE] &&
-      /^http:\/\/127.0.0.1:21325\//.test(details.url)
-    ) {
-      // For development (when accessing via the HMR server) we need to overwrite
-      // the origin, otherwise electron fails to contact trezor bridge due to
-      // CORS violation.
+    if (isDev && /^http[s]?:\/\//.test(details.url)) {
+      // In development (when accessing via the HMR server) we need to overwrite
+      // the origin, otherwise electron fails to contact external servers due
+      // to missing or wrong Access-Control-Allow-Origin when webSecurity is
+      // enabled.
+      Object.keys(newHeaders).forEach(
+        (k) =>
+          k.toLowerCase() === "access-control-allow-origin" &&
+          delete newHeaders[k]
+      );
       newHeaders["Access-Control-Allow-Origin"] = "http://localhost:3000";
+
+      // When calling a Politeia POST endpoint in dev mode, electron performs
+      // a preflight OPTIONS call. Include the "Content-Type" as an allowed
+      // header because Politeia doesn't currently does this.
+      const isPoliteia =
+        details.url.startsWith(POLITEIA_URL_TESTNET) ||
+        details.url.startsWith(POLITEIA_URL_MAINNET);
+      if (isPoliteia && details.method === "OPTIONS") {
+        statusLine = "OK";
+        newHeaders["Access-Control-Allow-Headers"] = "Content-Type";
+      }
     }
 
-    callback({ responseHeaders: newHeaders });
+    callback({ responseHeaders: newHeaders, statusLine });
   });
 };