fix(A.1 #2): parse tauri.conf.json properly in CSP regression guard

Review feedback: the original guard substring-searched the whole file
after the first "csp" token, which (a) false-passes if any unrelated
JSON value elsewhere in the config happens to contain a localhost URL
and (b) false-fails if the CSP is ever re-serialised with escaped
forward slashes.

Switches to serde_json + a /app/security/csp pointer lookup, then
splits the CSP on ';', finds the connect-src directive, tokenises its
allow-list on whitespace, and requires an exact match for both
http://127.0.0.1:* and ws://127.0.0.1:*. The error now also includes
the current connect-src value so a developer who breaks it can see
exactly what needs restoring.
This commit is contained in:
2026-04-22 00:35:33 +01:00
parent 2371e73f18
commit 6fd38932ce
2 changed files with 37 additions and 9 deletions

View File

@@ -11,6 +11,11 @@ crate-type = ["staticlib", "cdylib", "rlib"]
[build-dependencies]
tauri-build = { version = "2", features = [] }
# Used by the CSP regression guard in build.rs to parse tauri.conf.json
# and pull out app.security.csp rather than substring-matching the raw
# file. Keeps the guard robust against unrelated JSON values that
# happen to mention a localhost URL.
serde_json = "1"
[dependencies]
# Workspace crates