commit 4f38e7b4946fcac566b15a2c9dbeb3d997f43865 · @notnite.com/moonlight

@notnite.com / moonlight

this repo has no description

Add support for extensions extending the Content-Security-Policy header (#202)

Maxine 1 month ago 2 files (+25, -2)

4f38e7b4 00037f6d

Changed files

packages/injector/src/index.ts

packages/types/src/extension.ts

MODIFIED packages/injector/src/index.ts

@@ -76,7 +76,7 @@
   blockedUrls = compiled;
 });
 
-function patchCsp(headers: Record<string, string[]>) {
+function patchCsp(headers: Record<string, string[]>, extensionCspOverrides: Record<string, string[]>) {
   const directives = ["script-src", "style-src", "connect-src", "img-src", "font-src", "media-src", "worker-src"];
   const values = ["*", "blob:", "data:", "'unsafe-inline'", "'unsafe-eval'", "disclip:"];
 
@@ -97,6 +97,11 @@ for (const directive of directives) {
     parts[directive] = values;
   }
 
+  for (const [directive, urls] of Object.entries(extensionCspOverrides)) {
+    parts[directive] ??= [];
+    parts[directive].push(...urls);
+  }
+
   const stringified = Object.entries<string[]>(parts)
     .map(([key, value]) => {
       return `${key} ${value.join(" ")}`;
@@ -122,11 +127,23 @@
     // Event for when a window is created
     moonlightHost.events.emit("window-created", this, isMainWindow);
 
+    const extensionCspOverrides: Record<string, string[]> = {};
+
+    {
+      const extCsps = moonlightHost.processedExtensions.extensions.map((x) => x.manifest.csp ?? {});
+      for (const csp of extCsps) {
+        for (const [directive, urls] of Object.entries(csp)) {
+          extensionCspOverrides[directive] ??= [];
+          extensionCspOverrides[directive].push(...urls);
+        }
+      }
+    }
+
     this.webContents.session.webRequest.onHeadersReceived((details, cb) => {
       if (details.responseHeaders != null) {
         // Patch CSP so things can use externally hosted assets
         if (details.resourceType === "mainFrame") {
-          patchCsp(details.responseHeaders);
+          patchCsp(details.responseHeaders, extensionCspOverrides);
         }
 
         // Allow plugins to bypass CORS for specific URLs

MODIFIED packages/types/src/extension.ts

@@ -135,6 +135,12 @@ * This is implemented by checking if the start of the URL matches.
    * @example https://moonlight-mod.github.io/
    */
   blocked?: string[];
+
+  /**
+   * A mapping from CSP directives to URLs to allow.
+   * @example { "script-src": ["https://example.com"] }
+   */
+  csp?: Record<string, string[]>;
 };
 
 export enum ExtensionEnvironment {