mirrors/Equicord
1
1
Fork 0
mirror of https://github.com/Equicord/Equicord.git synced 2025-06-20 20:07:03 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 5

fix: correctly allow resources from localhost

Browse source
This commit is contained in:
Vendicated 2025-06-14 00:55:14 +02:00
parent b35b72c066
commit 2a398985cf
No known key found for this signature in database
GPG key ID: D66986BAF75ECF18
3 changed files with 11 additions and 9 deletions
Download patch file Download diff file Expand all files Collapse all files

4
src/components/VencordSettings/ThemesTab.tsx
View file

@ -375,13 +375,13 @@ export function CspErrorCard() {
const isImgurHtmlDomain = (url: string) => url.startsWith("https://imgur.com/");
const allowUrl = async (url: string) => {
const { origin: baseUrl, hostname } = new URL(url);
const { origin: baseUrl, host } = new URL(url);
const result = await VencordNative.csp.requestAddOverride(baseUrl, ["connect-src", "img-src", "style-src", "font-src"], "Vencord Themes");
if (result !== "ok") return;
CspBlockedUrls.forEach(url => {
if (new URL(url).hostname === hostname) {
if (new URL(url).host === host) {
CspBlockedUrls.delete(url);
}
});

6
src/main/csp/index.ts
View file

@ -19,8 +19,10 @@ export const ImageScriptsAndCssSrc = [...ImageAndCssSrc, "script-src", "worker-s
// script and just adding to it. But generally, you should just edit this file instead
export const CspPolicies: PolicyMap = {
"localhost": ImageAndCssSrc,
"127.0.0.1": ImageAndCssSrc,
"http://localhost:*": ImageAndCssSrc,
"http://127.0.0.1:*": ImageAndCssSrc,
"localhost:*": ImageAndCssSrc,
"127.0.0.1:*": ImageAndCssSrc,
"*.github.io": ImageAndCssSrc, // GitHub pages, used by most themes
"github.com": ImageAndCssSrc, // GitHub content (stuff uploaded to markdown forms), used by most themes

10
src/main/csp/manager.ts
View file

@ -20,9 +20,9 @@ export function registerCspIpcHandlers() {
function validate(url: string, directives: string[]) {
try {
const { hostname } = new URL(url);
const { host } = new URL(url);
if (/[;'"\\]/.test(hostname)) return false;
if (/[;'"\\]/.test(host)) return false;
} catch {
return false;
}
@ -34,7 +34,7 @@ function validate(url: string, directives: string[]) {
}
function getMessage(url: string, directives: string[], callerName: string) {
const domain = new URL(url).hostname;
const domain = new URL(url).host;
const message = `${callerName} wants to allow connections to ${domain}`;
@ -73,7 +73,7 @@ async function addCspRule(_: IpcMainInvokeEvent, url: string, directives: string
return "invalid";
}
const domain = new URL(url).hostname;
const domain = new URL(url).host;
if (domain in NativeSettings.store.customCspRules) {
return "conflict";
@ -113,7 +113,7 @@ function removeCspRule(_: IpcMainInvokeEvent, domain: string) {
function isDomainAllowed(_: IpcMainInvokeEvent, url: string, directives: string[]) {
try {
const domain = new URL(url).hostname;
const domain = new URL(url).host;
const ruleForDomain = CspPolicies[domain] ?? NativeSettings.store.customCspRules[domain];
if (!ruleForDomain) return false;