forge icon indicating copy to clipboard operation
forge copied to clipboard
verified publisher icon electron

Webpack Support for Content Security Policy using hashes

Open fras2560 opened this issue 5 months ago • 2 comments

Pre-flight checklist

  • [x] I have read the contribution documentation for this project.
  • [x] I agree to follow the code of conduct that this project uses.
  • [x] I have searched the issue tracker for a feature request that matches the one I want to file, without success.

Problem description

I am working on an Electron app that uses Electron-Forge and Webpack. It is a React app that used Styled-Components. Due to Styled-Components being deprecated there will be work to move away from it. However, in the meantime there is need for it to be supported.

I added a content-security policy for electron using the:

session.defaultSession.webRequest.onHeadersReceived

I am using a custom protocol as outlined in Electron Security. My current content-security policy is default-src ${CUSTOM_PROTOCOL}: 'unsafe-inline'.

I would like the ability to not have to unsafe-inline. My understanding is that to remove it I would need to use either a nonce or a hash. It seems that a nonce is likely not a good approach for styled-components or webpack. It seems that using a hash and dynamic-strict would be the only potential avenue to improving CSP.

I am requesting a feature that allows for the adding a CSP with hash of the underlying scripts. This should allow me to improve my CSP.

Proposed solution

There is an existing webpack component that should allow for CSP to be added with script hashes. https://github.com/slackhq/csp-html-webpack-plugin

Just not clear if the repository is supported enough to be used in Electron-Forge or better to implement directly

Alternatives considered

Nonce seems to not be supported by styled-components

Additional information

"@electron-forge/cli": "^7.7.0",
"electron": "37.1.0",

Please let me know if my understanding of content-security policy is correct. This is a new area for me and just trying to ensure I am following best practices.

fras2560 avatar Jul 24 '25 16:07 fras2560

I am willing to do the work for these feature but just want confirmation that no current solution exists and that approach makes sense before implementing.

fras2560 avatar Jul 24 '25 16:07 fras2560

I have to work on this , just want to confirm maintainers of this repo are active or not

dvansari65 avatar Nov 26 '25 04:11 dvansari65