security(electron): added content security policy and moved inline js out of html files + small refactoring and reformatting

Madman10K · Madman10K · commit 4bca2c5e255e · 2025-10-31T21:20:50.000+02:00
diff --git a/appimage-scripts/build_appimage.sh b/appimage-scripts/build_appimage.sh
@@ -177,6 +177,9 @@ cp "${ROOT_PATH}/src/helpers.js" "${APP_DIR}/helpers.js"
 cp "${ROOT_PATH}/src/frontend/index.html" "${APP_DIR}/src/index.html"
 cp "${ROOT_PATH}/src/frontend/index.html" "${APP_DIR}/index.html"
 
+cp "${ROOT_PATH}/src/frontend/init.js" "${APP_DIR}/src/init.js"
+cp "${ROOT_PATH}/src/frontend/init.js" "${APP_DIR}/init.js"
+
 cp "${ROOT_PATH}/src/frontend/subwindow.html" "${APP_DIR}/subwindow.html"
 cp "${ROOT_PATH}/src/frontend/subwindow.html" "${APP_DIR}/src/subwindow.html"
 
diff --git a/nix/packages/default.nix b/nix/packages/default.nix
@@ -666,6 +666,7 @@
             cp -r src/frontend/index.html $out/
             cp -r src/frontend/subwindow.html $out/
 
+            cp -r src/frontend/init.js $out/
           '';
 
           meta.mainProgram = "ct";
diff --git a/non-nix-build/build_in_simple_env.sh b/non-nix-build/build_in_simple_env.sh
@@ -50,6 +50,8 @@ cp "$ROOT_DIR"/src/helpers.js "$DIST_DIR"/src/helpers.js
 cp "$ROOT_DIR"/src/helpers.js "$DIST_DIR"/helpers.js
 cp "$ROOT_DIR"/src/frontend/*.html "$DIST_DIR"/src/
 cp "$ROOT_DIR"/src/frontend/*.html "$DIST_DIR"/
+cp "$ROOT_DIR"/src/frontend/*.js "$DIST_DIR"/src/
+cp "$ROOT_DIR"/src/frontend/*.js "$DIST_DIR"/
 rm -f "$DIST_DIR"/config
 rm -f "$DIST_DIR"/public
 cp -r "$ROOT_DIR"/src/config "$DIST_DIR"/config
diff --git a/src/Tupfile b/src/Tupfile
@@ -5,6 +5,7 @@ include_rules
 : frontend/subwindow.nim |> !nim_node_subwindow |> subwindow.js | subwindow.js.map
 : frontend/index.nim |> !nim_node_index_server |> server_index.js | server_index.js.map
 : frontend/ui_js.nim |> !nim_js |> ui.js
+: frontend/init.js |> cp %f %o |> init.js
 # : frontend/browsersync_serv.nim |> !nim_node |> browsersync_serv.js
 # : frontend/codetracer_shell.nim |> !codetracer_shell |> bin/codetracer_shell.js
 
diff --git a/src/Tupfile.ini b/src/Tupfile.ini
diff --git a/src/frontend/index.html b/src/frontend/index.html
@@ -4,14 +4,28 @@
 <!-- bootstrap 4 : credit to bootstrap authors-->
 
 <!doctype html>
-<html>
+<html lang="en">
     <head>
         <meta charset='utf-8'>
         <title>CodeTracer</title>
 
+        <meta http-equiv="Content-Security-Policy" content="
+            default-src 'none';
+            script-src 'self';
+            style-src 'self' 'unsafe-inline';
+            img-src 'self' data: blob:;
+            font-src 'self' data:;
+            connect-src 'self';
+            worker-src 'self' blob:;
+            media-src 'self';
+            object-src 'none';
+            base-uri 'self';
+            form-action 'self';
+        ">
         <!--
           don't remove this: placeholder and default,
-          later we use `loadTheme` in ui_js.nim to load the configured theme -->
+          later we use `loadTheme` in ui_js.nim to load the configured theme
+        -->
         <link id='theme' rel='stylesheet' href='frontend/styles/default_dark_theme_electron.css'>
 
         <link rel='stylesheet' href='frontend/styles/loader.css'>
@@ -38,15 +52,7 @@
         <link rel="stylesheet" href="public/third_party/@exuanbo/file-icons-js/dist/css/file-icons.css" type="text/css" />
         <link rel="stylesheet" href="public/third_party/devicon-base.css" type="text/css" />
 
-        <script>
-          self.module = undefined
-          self.process.browser = true
-
-          window.electron = require('electron');
-
-          inElectron = true
-          loadScripts = true
-      </script>
+        <script type='text/javascript' src="init.js"></script>
 
     </head>
     <body>
diff --git a/src/frontend/init.js b/src/frontend/init.js
@@ -0,0 +1,8 @@
+'use strict'
+self.module = undefined
+self.process.browser = true
+
+window.electron = require('electron');
+
+window.inElectron = true
+window.loadScripts = true
diff --git a/src/frontend/lib/electron_lib.nim b/src/frontend/lib/electron_lib.nim
@@ -104,8 +104,8 @@ when defined(ctIndex) or defined(ctTest) or defined(ctInCentralExtensionContext)
 var nodePath*: NodePath
 
 when defined(ctRenderer):
-  var inElectron* {.importc.}: bool
-  var loadScripts* {.importc.}: bool
+  var inElectron* {.importc: "window.inElectron".}: bool
+  var loadScripts* {.importc: "window.loadScripts".}: bool
 else:
   var inElectron*: bool = false
   var loadScripts*: bool = false
diff --git a/src/frontend/preload.js b/src/frontend/preload.js
diff --git a/src/frontend/subwindow.html b/src/frontend/subwindow.html
@@ -1,16 +1,28 @@
 <!DOCTYPE html>
-<html>
+<html lang="en">
     <head>
         <meta charset="UTF-8">
+        <meta http-equiv="Content-Security-Policy" content="
+            default-src 'none';
+            script-src 'self';
+            style-src 'self' 'unsafe-inline';
+            img-src 'self' data: blob:;
+            font-src 'self' data:;
+            connect-src 'self';
+            worker-src 'self' blob:;
+            media-src 'self';
+            object-src 'none';
+            base-uri 'self';
+            form-action 'self';
+        ">
+
         <title>Install Subwindow</title>
         <link rel='stylesheet' href='frontend/styles/subwindow.css'>
     </head>
     <body>
         <div id="ROOT"></div>
-        <script>
-            window.electron = require('electron');
-            window.inElectron = true
-        </script>
+
+        <script type='text/javascript' src="init.js"></script>
         <script type="text/javascript" src="subwindow.js"></script>
     </body>
 </html>
diff --git a/src/frontend/webpack.config.js b/src/frontend/webpack.config.js
diff --git a/views/server_index.ejs b/views/server_index.ejs
@@ -5,14 +5,13 @@
 <!-- credit to Rick Strahl for jquery-resizable -->
 <!-- bootstrap 4 : credit to bootstrap authors-->
 
-<!doctype html>
-<html>
+<!DOCTYPE html>
+<html lang="">
     <head>
         <meta charset='utf-8'>
         <title>CodeTracer</title>
         <link rel="icon" type="image/svg+xml" href="public/resources/shared/codetracer_welcome_logo.svg"/>
 
-
         <!--
         don't remove this: placeholder and default,
         later we use `loadTheme` in ui_js.nim to load the configured theme -->
diff --git a/webpack.config.js b/webpack.config.js
@@ -2,25 +2,25 @@ const MonacoWebpackPlugin = require('monaco-editor-webpack-plugin');
 const path = require('path');
 
 module.exports = {
-  mode: 'development',
-  // devtool: "source-map",
+  mode: "production",
+  devtool: false,
   entry: "./src/frontend/frontend_imports.js",
   output: {
     globalObject: 'window',
     path: path.resolve(__dirname, 'src/public/dist'),
     filename: "frontend_bundle.js"
   },
   module: {
-      rules: [
-        {
-          test: /\.css$/,
-          use: ['style-loader', 'css-loader']
-        },
-        // {
-        //   test: /\.ttf$/,
-        //   type: 'asset/resource'
-        // }
-      ]
+    rules: [
+    {
+      test: /\.css$/,
+      use: ['style-loader', 'css-loader']
     },
-    plugins: [new MonacoWebpackPlugin()]
+    // {
+    //   test: /\.ttf$/,
+    //   type: 'asset/resource'
+    // }
+    ]
+  },
+  plugins: [new MonacoWebpackPlugin()]
 };
