fix: correctly allow resources from localhost

src/components/VencordSettings/ThemesTab.tsx

@@ -375,13 +375,13 @@ export function CspErrorCard() {
     const isImgurHtmlDomain = (url: string) => url.startsWith("https://imgur.com/");
 
     const allowUrl = async (url: string) => {
-        const { origin: baseUrl, hostname } = new URL(url);
+        const { origin: baseUrl, host } = new URL(url);
 
         const result = await VencordNative.csp.requestAddOverride(baseUrl, ["connect-src", "img-src", "style-src", "font-src"], "Vencord Themes");
         if (result !== "ok") return;
 
         CspBlockedUrls.forEach(url => {
-            if (new URL(url).hostname === hostname) {
+            if (new URL(url).host === host) {
                 CspBlockedUrls.delete(url);
             }
         });

src/main/csp/index.ts

@@ -19,8 +19,10 @@ export const ImageScriptsAndCssSrc = [...ImageAndCssSrc, "script-src", "worker-s
 // script and just adding to it. But generally, you should just edit this file instead
 
 export const CspPolicies: PolicyMap = {
-    "localhost": ImageAndCssSrc,
+    "http://localhost:*": ImageAndCssSrc,
-    "127.0.0.1": ImageAndCssSrc,
+    "http://127.0.0.1:*": ImageAndCssSrc,
+    "localhost:*": ImageAndCssSrc,
+    "127.0.0.1:*": ImageAndCssSrc,
 
     "*.github.io": ImageAndCssSrc, // GitHub pages, used by most themes
     "github.com": ImageAndCssSrc, // GitHub content (stuff uploaded to markdown forms), used by most themes

src/main/csp/manager.ts

@@ -20,9 +20,9 @@ export function registerCspIpcHandlers() {
 
 function validate(url: string, directives: string[]) {
     try {
-        const { hostname } = new URL(url);
+        const { host } = new URL(url);
 
-        if (/[;'"\\]/.test(hostname)) return false;
+        if (/[;'"\\]/.test(host)) return false;
     } catch {
         return false;
     }
@@ -34,7 +34,7 @@ function validate(url: string, directives: string[]) {
 }
 
 function getMessage(url: string, directives: string[], callerName: string) {
-    const domain = new URL(url).hostname;
+    const domain = new URL(url).host;
 
     const message = `${callerName} wants to allow connections to ${domain}`;
 
@@ -73,7 +73,7 @@ async function addCspRule(_: IpcMainInvokeEvent, url: string, directives: string
         return "invalid";
     }
 
-    const domain = new URL(url).hostname;
+    const domain = new URL(url).host;
 
     if (domain in NativeSettings.store.customCspRules) {
         return "conflict";
@@ -113,7 +113,7 @@ function removeCspRule(_: IpcMainInvokeEvent, domain: string) {
 
 function isDomainAllowed(_: IpcMainInvokeEvent, url: string, directives: string[]) {
     try {
-        const domain = new URL(url).hostname;
+        const domain = new URL(url).host;
 
         const ruleForDomain = CspPolicies[domain] ?? NativeSettings.store.customCspRules[domain];
         if (!ruleForDomain) return false;