Skip to content

Commit 8e1ae08

Browse files
FabianLarsFabianLars
committed
docs(http): Replace allowlist scope with capability scope
1 parent 264a044 commit 8e1ae08

File tree

1 file changed

+12
-10
lines changed

1 file changed

+12
-10
lines changed

plugins/http/guest-js/index.ts

Lines changed: 12 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -7,16 +7,18 @@
77
*
88
* ## Security
99
*
10-
* This API has a scope configuration that forces you to restrict the URLs and paths that can be accessed using glob patterns.
10+
* This API has a scope configuration that forces you to restrict the URLs that can be accessed using glob patterns.
1111
*
12-
* For instance, this scope configuration only allows making HTTP requests to the GitHub API for the `tauri-apps` organization:
12+
* For instance, this scope configuration only allows making HTTP requests to all subdomains for `tauri.app` except for `https://private.tauri.app`:
1313
* ```json
1414
* {
15-
* "plugins": {
16-
* "http": {
17-
* "scope": ["https://api.github.com/repos/tauri-apps/*"]
15+
* "permissions": [
16+
* {
17+
* "identifier": "http:default",
18+
* "allow": [{ "url": "https://*.tauri.app" }],
19+
* "deny": [{ "url": "https://private.tauri.app" }]
1820
* }
19-
* }
21+
* ]
2022
* }
2123
* ```
2224
* Trying to execute any API with a URL not configured on the scope results in a promise rejection due to denied access.
@@ -100,7 +102,7 @@ export interface ClientOptions {
100102
*/
101103
export async function fetch(
102104
input: URL | Request | string,
103-
init?: RequestInit & ClientOptions,
105+
init?: RequestInit & ClientOptions
104106
): Promise<Response> {
105107
const maxRedirections = init?.maxRedirections;
106108
const connectTimeout = init?.connectTimeout;
@@ -148,7 +150,7 @@ export async function fetch(
148150
// we need to ensure we have all header values as strings
149151
// eslint-disable-next-line
150152
typeof val === "string" ? val : (val as any).toString(),
151-
],
153+
]
152154
);
153155

154156
const rid = await invoke<number>("plugin:http|fetch", {
@@ -191,7 +193,7 @@ export async function fetch(
191193
"plugin:http|fetch_read_body",
192194
{
193195
rid: responseRid,
194-
},
196+
}
195197
);
196198

197199
const res = new Response(
@@ -204,7 +206,7 @@ export async function fetch(
204206
headers: responseHeaders,
205207
status,
206208
statusText,
207-
},
209+
}
208210
);
209211

210212
// url is read only but seems like we can do this

0 commit comments

Comments
 (0)