From 2a398985cf2e704f086193e868ca355da6c96685 Mon Sep 17 00:00:00 2001 From: Vendicated Date: Sat, 14 Jun 2025 00:55:14 +0200 Subject: [PATCH] fix: correctly allow resources from localhost --- src/components/VencordSettings/ThemesTab.tsx | 4 ++-- src/main/csp/index.ts | 6 ++++-- src/main/csp/manager.ts | 10 +++++----- 3 files changed, 11 insertions(+), 9 deletions(-) diff --git a/src/components/VencordSettings/ThemesTab.tsx b/src/components/VencordSettings/ThemesTab.tsx index ceb59898..e3fbe53a 100644 --- a/src/components/VencordSettings/ThemesTab.tsx +++ b/src/components/VencordSettings/ThemesTab.tsx @@ -375,13 +375,13 @@ export function CspErrorCard() { const isImgurHtmlDomain = (url: string) => url.startsWith("https://imgur.com/"); const allowUrl = async (url: string) => { - const { origin: baseUrl, hostname } = new URL(url); + const { origin: baseUrl, host } = new URL(url); const result = await VencordNative.csp.requestAddOverride(baseUrl, ["connect-src", "img-src", "style-src", "font-src"], "Vencord Themes"); if (result !== "ok") return; CspBlockedUrls.forEach(url => { - if (new URL(url).hostname === hostname) { + if (new URL(url).host === host) { CspBlockedUrls.delete(url); } }); diff --git a/src/main/csp/index.ts b/src/main/csp/index.ts index fefbc774..c4192f4b 100644 --- a/src/main/csp/index.ts +++ b/src/main/csp/index.ts @@ -19,8 +19,10 @@ export const ImageScriptsAndCssSrc = [...ImageAndCssSrc, "script-src", "worker-s // script and just adding to it. But generally, you should just edit this file instead export const CspPolicies: PolicyMap = { - "localhost": ImageAndCssSrc, - "127.0.0.1": ImageAndCssSrc, + "http://localhost:*": ImageAndCssSrc, + "http://127.0.0.1:*": ImageAndCssSrc, + "localhost:*": ImageAndCssSrc, + "127.0.0.1:*": ImageAndCssSrc, "*.github.io": ImageAndCssSrc, // GitHub pages, used by most themes "github.com": ImageAndCssSrc, // GitHub content (stuff uploaded to markdown forms), used by most themes diff --git a/src/main/csp/manager.ts b/src/main/csp/manager.ts index b8fbbea3..e6b1a0e3 100644 --- a/src/main/csp/manager.ts +++ b/src/main/csp/manager.ts @@ -20,9 +20,9 @@ export function registerCspIpcHandlers() { function validate(url: string, directives: string[]) { try { - const { hostname } = new URL(url); + const { host } = new URL(url); - if (/[;'"\\]/.test(hostname)) return false; + if (/[;'"\\]/.test(host)) return false; } catch { return false; } @@ -34,7 +34,7 @@ function validate(url: string, directives: string[]) { } function getMessage(url: string, directives: string[], callerName: string) { - const domain = new URL(url).hostname; + const domain = new URL(url).host; const message = `${callerName} wants to allow connections to ${domain}`; @@ -73,7 +73,7 @@ async function addCspRule(_: IpcMainInvokeEvent, url: string, directives: string return "invalid"; } - const domain = new URL(url).hostname; + const domain = new URL(url).host; if (domain in NativeSettings.store.customCspRules) { return "conflict"; @@ -113,7 +113,7 @@ function removeCspRule(_: IpcMainInvokeEvent, domain: string) { function isDomainAllowed(_: IpcMainInvokeEvent, url: string, directives: string[]) { try { - const domain = new URL(url).hostname; + const domain = new URL(url).host; const ruleForDomain = CspPolicies[domain] ?? NativeSettings.store.customCspRules[domain]; if (!ruleForDomain) return false;