Upgrade to latest electron. Add some form of csp.

package.json

@@ -2,7 +2,7 @@
  "name": "dive-downloader",
  "description": "Download dives from any divecomputer with an electron app",
  "productName": "dive-downloader",
- "version": "0.1.5",
+ "version": "0.1.6",
  "main": ".webpack/main",
  "scripts": {
  "lint": "eslint src --ext .js,.jsx,.ts,.tsx",
@@ -96,7 +96,7 @@
  "@typescript-eslint/parser": "^6.4.0",
  "@vercel/webpack-asset-relocator-loader": "^1.7.3",
  "css-loader": "^6.7.1",
- "electron": "^19.0.10",
+ "electron": "^26.0.0",
  "eslint": "^8.21.0",
  "eslint-config-prettier": "^9.0.0",
  "eslint-plugin-compat": "^4.0.2",

src/main/main.ts

@@ -11,6 +11,7 @@
 import path from 'path';
 import { app, BrowserWindow, shell, ipcMain, dialog, session } from 'electron';
 import MenuBuilder from './menu';
+import { serviceOrigin } from '../services/api/config';
 
 declare const MAIN_WINDOW_WEBPACK_ENTRY: string;
 
@@ -79,11 +80,17 @@ const createWindow = async () => {
  mainWindow = null;
  });
 
+ const cspConnectSrc = ["'self'", serviceOrigin];
+ const cspDefaultSrc = ["'self'", 'data:', "'unsafe-inline'"];
+ if (isDebug) {
+ cspDefaultSrc.push("'unsafe-eval'")
+ }
+
  session.defaultSession.webRequest.onHeadersReceived((details, callback) => {
  callback({
  responseHeaders: {
  ...details.responseHeaders,
- 'Content-Security-Policy': ['default-src \'self\' \'unsafe-inline\' \'unsafe-eval\' data: https://api.dive.littledev.nl http://api.littledivelog.local']
+ 'Content-Security-Policy': [`default-src ${cspDefaultSrc.join(' ')}; connect-src ${cspConnectSrc.join(' ')}`]
  }
  })
  })

src/services/api/config.ts

@@ -1,7 +1,9 @@
 const useProduction = process.env.NODE_ENV === 'production';
 
-export const serviceUrl = useProduction
- ? 'https://api.dive.littledev.nl/api'
- : 'http://api.littledivelog.local/api';
+export const serviceOrigin = useProduction
+? 'https://api.dive.littledev.nl'
+: 'http://api.littledivelog.local'
+
+export const serviceUrl = `${serviceOrigin}/api`;
 
 export default serviceUrl;