tauri-apps/archived-tauri-docs
1
0
Fork 0
mirror of https://github.com/tauri-apps/tauri-docs.git synced 2026-01-31 00:35:16 +01:00
Code Issues Packages Projects Releases Wiki Activity

docs: add HeaderConfig to SecurityConfig + new Gudeline Proposals (#2950)

Browse Source 
Co-authored-by: Vitor Ayres <gitme@virtuaires.com.br>
This commit is contained in:
39zde
2024-11-13 21:19:21 +00:00
committed by GitHub
parent 966563e486
commit 75f2561adc
17 changed files with 352 additions and 18 deletions
Download Patch File Download Diff File Expand all files Collapse all files

26
.github/CONTRIBUTING.md vendored
View File

@@ -57,6 +57,32 @@ Use this chart to help you figure out where the right place for your content is:
- Make headings as succinct as possible to help the reader quickly find the content they need
- Use [simple present tense](https://www.grammarly.com/blog/simple-present/) for verbs
### New Features / Version Display
When writing about a new feature, display the version it was introduced.
Use the `SinceVersion` component for this, located at [`src/components/SinceVersion.astro`](../src//components/SinceVersion.astro).
Place it directly under the header, which describes the new feature.
When creating a new page add a Badge with the text `New` and variant `tip`.
The lifetime of this badge should not exceed 6 Months.
#### Example
Example file `my-new-page.mdx`
```mdx
---
title: My New Page
sidebar:
badge:
text: New
variant: tip
---
import SinceVersion from '../path/to/SinceVersion.astro';
<SinceVersion version="2.1.0" library="optional core library name" href="optional link" />
Documentation about 'My New Page'...
```
### Guide
Located in [`/src/content/docs/plugin/`](https://github.com/tauri-apps/tauri-docs/tree/v2/src/content/docs/plugin)

1
.prettierignore
View File

@@ -31,3 +31,4 @@ src/content/docs/learn/Security/writing-plugin-permissions.mdx
src/content/docs/start/frontend/qwik.mdx
src/content/docs/zh-cn/start/frontend/qwik.mdx
src/content/docs/learn/splashscreen.mdx
src/content/docs/security/http-headers.mdx

67
src/components/SinceVersion.astro Normal file
View File

@@ -0,0 +1,67 @@
---
/**
* @author 39zde <git@39z.de>
*/
import { Icon } from '@astrojs/starlight/components';
interface Props {
/**
* version string
* schema: x.y.z
* @example
* ```jsx
* // Valid ✅
* <SinceVersion version="2.1.0" />
* // Invalid ❌
* <SinceVersion version="v2.1.0" />
* <SinceVersion>2.1.0</SinceVersion>
* <SinceVersion version="2.1" />
* ```
*/
version: string;
/**
* The core library the documented feature belongs to, if applicapbe.
* Leave blank if not applicable and define the link manually.
*/
library?: 'tauri' | 'api' | 'rust-cli' | 'js-cli' | 'tauri-bundler' | 'wry' | 'tao';
/**
* overrides the link to release page
*
* if the `library` prop is defined, `href` defaults to:
* - `${Astro.url.origin}/release/${Astro.props.library}/v${Astro.props.version}`
*
* if the `library` prop is `undefined`, `href` defaults to:
* - defaults to `${Astro.url.origin}/release/tauri/v${Astro.props.version}`
*/
href?: string;
}
---
<a
class="not-content"
href={Astro.props.href
? Astro.props.href
: Astro.props.library
? `${Astro.url.origin}/release/${Astro.props.library}/v${Astro.props.version}`
: `${Astro.url.origin}/release/tauri/v${Astro.props.version}`}
target="_blank"
>
<Icon name="seti:clock" />Since <code>{Astro.props.version}</code>
</a>
<style>
a {
display: inline-flex;
justify-content: center;
align-items: center;
gap: 6px;
border-radius: 0.5rem;
padding: 2px 12px 2px 12px;
font-size: small;
box-shadow: var(--sl-shadow-md);
background-color: var(--sl-color-bg-inline-code);
margin: 0 0 12px 0;
color: var(--sl-color-gray-1) !important;
text-decoration: none;
}
</style>

2
src/content/docs/develop/Debug/index.mdx
View File

@@ -12,7 +12,7 @@ With all the moving pieces in Tauri, you may run into a problem that requires de
## Development Only Code
One of the most useful tools in your toolkit for debugging is the ability to add debugging statments in your code. However, you generally you don't want these to end up in production, which is where the ability to check whether you're running in development mode or not comes in handy.
One of the most useful tools in your toolkit for debugging is the ability to add debugging statements in your code. However, you generally you don't want these to end up in production, which is where the ability to check whether you're running in development mode or not comes in handy.
### In Rust

2
src/content/docs/develop/Plugins/develop-mobile.mdx
View File

@@ -35,7 +35,7 @@ This implementation simplifies the process of sharing an API that can be used bo
### Develop an Android Plugin
A Tauri plugin for Android is defined as a Kotlin class that extends `app.tauri.plugin.Plugin` and is annoted with `app.tauri.annotation.TauriPlugin`. Each method annotated with `app.tauri.annotation.Command` can be called by Rust or JavaScript.
A Tauri plugin for Android is defined as a Kotlin class that extends `app.tauri.plugin.Plugin` and is annotated with `app.tauri.annotation.TauriPlugin`. Each method annotated with `app.tauri.annotation.Command` can be called by Rust or JavaScript.
Tauri uses Kotlin by default for the Android plugin implementation, but you can switch to Java if you prefer. After generating a plugin, right click the Kotlin plugin class in Android Studio and select the "Convert Kotlin file to Java file" option from the menu. Android Studio will guide you through the project migration to Java.

2
src/content/docs/distribute/Pipelines/github.mdx
View File

@@ -27,7 +27,7 @@ Please see the `tauri-action` [readme](https://github.com/tauri-apps/tauri-actio
When your app is not on the root of the repository, use the `projectPath` input.
You may freely modify the worfklow name, change its triggers, and add more steps such as `npm run lint` or `npm run test`. The important part is that you keep the below line at the end of the workflow since this runs the build script and releases your app.
You may freely modify the workflow name, change its triggers, and add more steps such as `npm run lint` or `npm run test`. The important part is that you keep the below line at the end of the workflow since this runs the build script and releases your app.
### How to Trigger

2
src/content/docs/distribute/Sign/macos.mdx
View File

@@ -9,7 +9,7 @@ Code signing is required on macOS to allow your application to be listed in the
## Prerequisites
Code signing on macOS requries an [Apple Developer] account which is either paid (99$ per year) or on the free plan. You also need an Apple device where you perform the code signing. This is required by the signing process and due to Apple's Terms and Conditions.
Code signing on macOS requires an [Apple Developer] account which is either paid (99$ per year) or on the free plan. You also need an Apple device where you perform the code signing. This is required by the signing process and due to Apple's Terms and Conditions.
:::note
Note when using a free Apple Developer account, you will not be able to notarize your application and it will still show up as not verified when opening the app.

2
src/content/docs/learn/Security/capabilities-for-windows-and-platforms.mdx
View File

@@ -57,7 +57,7 @@ This exercise is meant to be read after completing [`Using Plugin Permissions`](
```
</ShowSolution>
#### Create Windows Programatically
#### Create Windows Programmatically
In the Rust code to create a Tauri app:

4
src/content/docs/learn/Security/writing-plugin-permissions.mdx
View File

@@ -95,7 +95,7 @@ and hand crafted.
These inbuilt permissions will be automatically generated by the Tauri build
system and will be visible in the `permissions/autogenerated/commands` folder.
By default an `enable-<commmand>` and `deny-<command>` permission will
By default an `enable-<command>` and `deny-<command>` permission will
be created.
</ShowSolution>
@@ -133,7 +133,7 @@ and hand crafted.
Expose the new command in the frontend module.
This step is essential for the example application to sucessfully
This step is essential for the example application to successfully
import the frontend module. This is for convenience and has
no security impact, as the command handler is already generated
and the command can be manually invoked from the frontend.

2
src/content/docs/plugin/biometric.mdx
View File

@@ -196,7 +196,7 @@ fn bio_auth(app_handle: tauri::AppHandle) {
confirmation_required: Some(true),
};
// if the authentication was succesfull, the function returns Result::Ok()
// if the authentication was successful, the function returns Result::Ok()
// otherwise returns Result::Error()
match app_handle.biometric().authenticate("This feature is locked".to_string(), options) {
Ok(_) => {

2
src/content/docs/security/ecosystem.mdx
View File

@@ -1,7 +1,7 @@
---
title: Tauri Ecosystem Security
sidebar:
order: 7
order: 8
---
Our Tauri organization ecosystem is hosted on GitHub and facilitates several

8
src/content/docs/security/future.mdx
View File

@@ -1,10 +1,10 @@
---
title: Future Work
sidebar:
order: 9
order: 10
---
This section descibes topics we started or would like to tackle
This section describes topics we started or would like to tackle
in the future to make Tauri apps even more secure.
If you feel interested in these topics or have pre-existing
knowledge we are always happy to welcome new contributors
@@ -43,7 +43,7 @@ Currently Tauri has no inbuilt method to do so but there is ongoing work to
ease this process.
All of these tools allow to properly test and inspect Tauri applications
without sorce code access and should be considered when building a Tauri application.
without source code access and should be considered when building a Tauri application.
We are planning to further support and implement related features in the future.
@@ -57,7 +57,7 @@ consider ways to further sandbox and isolate the webview processes.
Inbuilt and external sandboxing methods will be evaluated to reduce attack impact
and to enforce the IPC bridge for system access.
We believe that this part of our stack is the weak link but current generation WebViews
are improving in their hardening and exploit resillience.
are improving in their hardening and exploit resilience.
### Fuzzing

240
src/content/docs/security/http-headers.mdx Normal file
View File

@@ -0,0 +1,240 @@
---
title: HTTP Headers
author: 39zde <git@39zde>
sidebar:
order: 7
badge:
text: New
variant: tip
---
import SinceVersion from '../../../components/SinceVersion.astro';
<SinceVersion version="2.1.0" />
A header defined in the configuration gets sent along the responses to the webview.
This doesn't include IPC messages and error responses.
To be more specific, every response sent via the `get_response` function in
<a href="https://github.com/tauri-apps/tauri/blob/8e8312bb8201ccc609e4bbc1a990bdc314daa00f/crates/tauri/src/protocol/tauri.rs#L103" target="_blank">crates/tauri/src/protocol/tauri.rs ↗</a>
will include those headers.
### Header Names
The header names are limited to:
- <a href="https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Credentials" target="_blank">Access-Control-Allow-Credentials ↗</a>
- <a href="https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Headers" target="_blank">Access-Control-Allow-Headers ↗</a>
- <a href="https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Methods" target="_blank">Access-Control-Allow-Methods ↗</a>
- <a href="https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Expose-Headers" target="_blank">Access-Control-Expose-Headers ↗</a>
- <a href="https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Max-Age" target="_blank">Access-Control-Max-Age ↗</a>
- <a href="https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cross-Origin-Embedder-Policy" target="_blank">Cross-Origin-Embedder-Policy ↗</a>
- <a href="https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cross-Origin-Opener-Policy" target="_blank">Cross-Origin-Opener-Policy ↗</a>
- <a href="https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cross-Origin-Resource-Policy" target="_blank">Cross-Origin-Resource-Policy ↗</a>
- <a href="https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Permissions-Policy" target="_blank">Permissions-Policy ↗</a>
- <a href="https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Timing-Allow-Origin" target="_blank">Timing-Allow-Origin ↗</a>
- <a href="https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options" target="_blank">X-Content-Type-Options ↗</a>
- Tauri-Custom-Header
:::note
`Tauri-Custom-Header` is not intended for production use.
:::
:::note
<a href="../csp/">The Content-Security-Policy (CSP)</a> is not defined here.
:::
### How to Configure Headers
- with a string
- with an Array of strings
- with an Object/Key-Value, where the values must be strings
- with null
The header values are always converted to strings for the actual response. Depending, on how the configuration file looks, some header values need to be composed.
Those are the rules on how a composite gets created:
- `string`: stays the same for the resulting header value
- `Array`: items are joined by `, `  for the resulting header value
- `key-value`: items are composed from: key + space + value. Items are then joined by `; `  for the resulting header value
- `null`: header will be ignored
### Example
```javascript title="src-tauri/tauri.conf.json"
{
//...
"app":{
//...
"security": {
//...
"headers": {
"Cross-Origin-Opener-Policy": "same-origin",
"Cross-Origin-Embedder-Policy": "require-corp",
"Timing-Allow-Origin": [
"https://developer.mozilla.org",
"https://example.com",
],
"X-Content-Type-Options": null, // gets ignored
"Access-Control-Expose-Headers": "Tauri-Custom-Header",
"Tauri-Custom-Header": {
"key1": "'value1' 'value2'",
"key2": "'value3'"
}
},
// notice how the CSP is not defined under headers
"csp": "default-src 'self'; connect-src ipc: http://ipc.localhost",
}
}
}
```
:::note
`Tauri-Custom-Header` is not intended for production use.
For Tests: Remember to set `Access-Control-Expose-Headers` accordingly.
:::
In this example `Cross-Origin-Opener-Policy` and `Cross-Origin-Embedder-Policy` are set to
allow for the use of <a href="https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/SharedArrayBuffer" target="_blank">`SharedArrayBuffer ↗`</a>.
`Timing-Allow-Origin` grants scripts loaded from the listed websites to access detailed network timing data via the <a href="https://developer.mozilla.org/en-US/docs/Web/API/Performance_API/Resource_timing" target="_blank">Resource Timing API ↗</a>.
For the helloworld example, this config results in:
```http
access-control-allow-origin: http://tauri.localhost
access-control-expose-headers: Tauri-Custom-Header
content-security-policy: default-src 'self'; connect-src ipc: http://ipc.localhost; script-src 'self' 'sha256-Wjjrs6qinmnr+tOry8x8PPwI77eGpUFR3EEGZktjJNs='
content-type: text/html
cross-origin-embedder-policy: require-corp
cross-origin-opener-policy: same-origin
tauri-custom-header: key1 'value1' 'value2'; key2 'value3'
timing-allow-origin: https://developer.mozilla.org, https://example.com
```
### Frameworks
Some development environments require extra settings, to emulate the production environment.
#### JavaScript/TypeScript
For setups running the build tool **Vite** (those include **Qwik, React, Solid, Svelte, and Vue**) add the wanted headers to `vite.config.ts`.
```typescript title=vite.config.ts
import { defineConfig } from 'vite';
export default defineConfig({
// ...
server: {
// ...
headers: {
'Cross-Origin-Opener-Policy': 'same-origin',
'Cross-Origin-Embedder-Policy': 'require-corp',
'Timing-Allow-Origin': 'https://developer.mozilla.org, https://example.com',
'Access-Control-Expose-Headers': 'Tauri-Custom-Header',
'Tauri-Custom-Header': "key1 'value1' 'value2'; key2 'value3'"
},
},
})
```
Sometimes the `vite.config.ts` is integrated into the frameworks configuration file, but the setup stays the same.
In case of **Angular** add them to `angular.json`.
```json title=angular.json
{
//...
"projects":{
//...
"insert-project-name":{
//...
"architect":{
//...
"serve":{
//...
"options":{
//...
"headers":{
"Cross-Origin-Opener-Policy": "same-origin",
"Cross-Origin-Embedder-Policy": "require-corp",
"Timing-Allow-Origin": "https://developer.mozilla.org, https://example.com",
"Access-Control-Expose-Headers": "Tauri-Custom-Header",
"Tauri-Custom-Header": "key1 'value1' 'value2'; key2 'value3'"
}
}
}
}
}
}
}
```
And in case of **Nuxt** to `nuxt.config.ts`.
```typescript title=nuxt.config.ts
export default defineNuxtConfig({
//...
vite: {
//...
server: {
//...
headers:{
'Cross-Origin-Opener-Policy': 'same-origin',
'Cross-Origin-Embedder-Policy': 'require-corp',
'Timing-Allow-Origin': 'https://developer.mozilla.org, https://example.com',
'Access-Control-Expose-Headers': 'Tauri-Custom-Header',
'Tauri-Custom-Header': "key1 'value1' 'value2'; key2 'value3'"
}
},
},
});
```
**Next.js** doesn't rely on Vite, so the approach is different.
Read more about it <a href="https://nextjs.org/docs/pages/api-reference/next-config-js/headers" target="_blank">here ↗</a>.
The headers are defined in `next.config.js`.
```javascript title=next.config.js
module.exports = {
//...
async headers() {
return [
{
source: '/*',
headers: [
{
key: 'Cross-Origin-Opener-Policy',
value: 'same-origin',
},
{
key: 'Cross-Origin-Embedder-Policy',
value: 'require-corp',
},
{
key: 'Timing-Allow-Origin',
value: 'https://developer.mozilla.org, https://example.com',
},
{
key: 'Access-Control-Expose-Headers',
value: 'Tauri-Custom-Header',
},
{
key: 'Tauri-Custom-Header',
value: "key1 'value1' 'value2'; key2 'value3'",
},
],
},
]
},
}
```
#### Rust
For **Yew** and **Leptos** add the headers to `Trunk.toml`
```toml title=Trunk.toml
#...
[serve]
#...
headers = {
"Cross-Origin-Opener-Policy" = "same-origin",
"Cross-Origin-Embedder-Policy" = "require-corp",
"Timing-Allow-Origin" = "https://developer.mozilla.org, https://example.com",
"Access-Control-Expose-Headers" = "Tauri-Custom-Header",
"Tauri-Custom-Header" = "key1 'value1' 'value2'; key2 'value3'"
}
```

4
src/content/docs/security/lifecycle.mdx
View File

@@ -1,7 +1,7 @@
---
title: Application Lifecycle Threats
sidebar:
order: 8
order: 9
---
Tauri applications are composed of many pieces at different points in time of the application lifecycle.
@@ -100,7 +100,7 @@ mutual authentication and transport encryption at the moment and should not be u
Hardening your development systems depends on various factors and on your personal
threat model but some generic advice we recommend to follow:
- Never use adminstrative accounts for day to day tasks like coding
- Never use administrative accounts for day to day tasks like coding
- Never use production secrets on development machines
- Prevent secrets to be checked into source code version control
- Use security hardware tokens or similar to reduce impact of compromised systems

2
src/content/docs/security/scope.mdx
View File

@@ -7,7 +7,7 @@ sidebar:
A scope is a granular way to define (dis)allowed behavior of a Tauri command.
Scopes are categorized into `allow` or `deny` scopes, where `deny` always
superseeds the `allow` scope.
supersedes the `allow` scope.
The scope type needs be of any [`serde`](https://docs.rs/serde/latest/serde/) serializable type.
These types are plugin-specific in general. For scoped commands implemented in a Tauri application

2
src/content/docs/start/migrate/from-tauri-1.mdx
View File

@@ -12,7 +12,7 @@ This guide walks you through upgrading your Tauri 1.0 application to Tauri 2.0.
## Preparing for Mobile
The mobile interface of Tauri requires your project to output a shared library. If you are targetting mobile for your existing application, you must change your crate to produce that kind of artifact along with the desktop executable.
The mobile interface of Tauri requires your project to output a shared library. If you are targeting mobile for your existing application, you must change your crate to produce that kind of artifact along with the desktop executable.
1. Change the Cargo manifest to produce the library. Append the following block:

2
src/content/docs/start/prerequisites.mdx
View File

@@ -248,7 +248,7 @@ Only if you intend to use a JavaScript frontend framework
1. Go to [Node.js website](https://nodejs.org), download the Long Term Support (LTS) version and install it.
2. Check if Node was succesfully installed by running:
2. Check if Node was successfully installed by running:
```sh
node -v