tauri
tauri copied to clipboard
tauri-apps
feat(core): allow configuring remote URLs with IPC access, closes #5088
What kind of change does this PR introduce?
- [ ] Bugfix
- [x] Feature
- [ ] Docs
- [ ] New Binding issue #___
- [ ] Code style update
- [ ] Refactor
- [ ] Build-related changes
- [ ] Other, please describe:
Does this PR introduce a breaking change?
- [ ] Yes, and the changes were approved in issue #___
- [ ] No
Checklist
- [x] When resolving issues, they are referenced in the PR's title (e.g
fix: remove a typo, closes #___, #___) - [x] A change file is added if any packages will require a version bump due to this PR per the instructions in the readme.
- [ ] I have added a convincing reason for adding this feature, if necessary
Other information
This PR opens up some really cool possibilities. Also, I know it's probably still a WIP.
After trying it out I think that the messaging and/or error related to the windows part of the config can be improved. More specifically, it wasn't clear what value to use for windows -- the app's name (the "title" of the window), or main.
Originally had something like this in my tauri.conf.json:
"dangerousExternalCommandAccess": [
{
"url": "https://my-localhost-app-url",
"windows": ["my-app-name"]
}
]
When changed to "windows": ["main"] it works.
Not sure whether it's a matter of improving the Scope not defined error message, or whether it's a documentation thing, but that was a tiny papercut I ran into. Thanks again for the work on this!
@austenc we do mention it's the window labels, see https://github.com/tauri-apps/tauri/pull/5918/files#diff-ff73997dde3dc4965aa0c59ce0b37c7d208ae5b6b7686bf19e14d93c98cc1bacR1116. I'll improve the error message though.
Thanks for helping out a rust noob :) And thanks again for the work on this feature, really great!
How do I exactly use this tauri pull request?
I imported the library into my rust-project via
tauri = { git = "https://github.com/tauri-apps/tauri.git", branch = "feat/remote-ipc", features = ["api-all"] }
which worked out.
But when I run npm run tauri dev, it will say:
Error `tauri.conf.json` error on `tauri > security`: Additional properties are not allowed ('dangerousExternalCommandAccess' was unexpected)
Which makes sense, because the NPM tauri-cli library is still the v1.2.2. I don't know much about NPM, so I was wondering how I can use this pull request now?
@1zun4 see https://tauri.app/v1/guides/faq#how-can-i-use-unpublished-tauri-changes (Using the Tauri CLI from source) - i recommend using the cargo cli instead since it's easier to use a git version imo.
Oh and make sure to also use the tauri-build crate from git.
@1zun4 see https://tauri.app/v1/guides/faq#how-can-i-use-unpublished-tauri-changes (
Using the Tauri CLI from source) - i recommend using the cargo cli instead since it's easier to use a git version imo.Oh and make sure to also use the
tauri-buildcrate from git.
Thank you very much! It works flawless with my application. Looking forward for it being merged.
When changed to
"windows": ["main"]it works.Not sure whether it's a matter of improving the
Scope not definederror message, or whether it's a documentation thing, but that was a tiny papercut I ran into. Thanks again for the work on this!
... took me a while to figure it out... haha
Hello, is there any way to modify/add dynamically a value to the dangerousExternalCommandAccess field from the main.rs ? I would need, for example, to get my remote server address from another configuration file, a environment variable or a register key.
Looks like there is lots of interest in this feature. What can the community to do help it land?
The security team has been auditing this PR and the finds will be public soon - along with the proposed solution to improve security.
Can't wait for their input, I still stand with the review I made 3 months ago. This feature is an escape hatch for "dangerous" usecases, so for me it should allow users to whitelist each element as they wish. It should be very specific in its definition but broad in what it allows (like: I want to allow plugin X for all websites). It should definitely not be used 99% of the time. Our usecase for it was to be able to allow loading remote UI that can interact with some whitelisted tauri commands. It would even be ok with a compiler warning if this feature is used.
One thing I did not touch is usage of remote URLs with the isolation protocol enabled. Since we can't inject the isolation protocol scripts (?) it does not work at all right now.
@tillmann-crabnebula I've pushed some changes to make this work with the isolation pattern.
I'm planning on merging this and release 1.3 next week if we can get all blog posts ready.
We had to change the approach here from "configuring remote URLs with glob patterns" to "configuring domains" for security reasons. If you need to allow ALL URLs, that is super dangerous and you'll need to do so by listening to the navigation event via WindowBuilder::on_navigation and manually adding the domain to the scope.
Thats fair, at least there is a way to do it. I will give it a try this week. When is it planned to be released?
Hello, will this be released for v1.x or will this have to wait until v2.0?
Can we have this feature in the next branch as a 2.0 feature? I would love to use it in my context, but I cannot downgrade to the 1.x.
@luucasrb It already is in the next branch. iirc it was also part of alpha.9 but not 100% sure about that.
Thanks, you are right. My confusion was that the dangerousRemoteDomainIpcAccess config is only in the v1 docs but not in the next docs.
We had to change the approach here from "configuring remote URLs with glob patterns" to "configuring domains" for security reasons. If you need to allow ALL URLs, that is super dangerous and you'll need to do so by listening to the navigation event via
WindowBuilder::on_navigationand manually adding the domain to the scope.
I want to add domains inside on_navigation, but I just don't succeed. Can you give me an example, how I can do it?
