preload script cannot be loaded if Content Security Policy is enabled #9276
Description
- Electron version: 1.6.5
- Operating system: macOS
Expected behavior
Preload script can be loaded even if CSP is enabled
Actual behavior
Preload script is prevented from being loaded by CSP
How to reproduce
I could not prepare server with CSP, so let me show the sequence to reproduce with my app...
- Download v0.2.2 from https://github.com/rhysd/Mstdn/releases
- Unarchive it and copy this config.json to
~/Application Support/Mstdn/config.json - Open app with
$ NODE_ENV=development /path/to/Mstdn.app/Contents/MacOS/Mstdn - It will open DevTools for browser window. Console tab should show the error.
In my app, browser window is opened with nodeIntegration: false and preload: '...' web preferences for external URL https://mstdn.jp where CSP is enabled.
Above sequence show following error.
It says that eval cannot be used because of CSP. The eval is used at VM28:784 for loading preload script specified with preload: '...' option on creating BrowserWindow instance.
Following is a screenshot of the code:
Preload script is loaded with eval() function but it is blocked. Is it possible to remove the check by CSP while loading preload script?
Preload script is a way for loading some user script even if Node integration is disabled for external browser AFAIK. So, if it is blocked by CSP, preload script can no longer used for injecting some code to external page safely.