The author(s) got in contact with me about this post: it does appear that the AP... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		zemnmez on July 8, 2020 \| parent \| context \| favorite \| on: Tauri – toolchain for building secure native apps ... The author(s) got in contact with me about this post: it does appear that the APIs are exposed at the window level, meaning any iframe can access these functions. It's important to note that CSP does not traverse iframes, or at least, has very strict rules about how it does due to an information leak in CSP1 [1]. This means embedded content is not going to be affected by any CSP rules. OEMBED content, or sandboxed rendered markdown is going to be served from the `null` origin, meaning that frame-src rules will have no granularity. [1]: http://archive.is/UXD8j

buffersandbeer on July 8, 2020 [–]

Has an issue been opened in their github for this? I looked quickly and didn't see one, but would love to track it.

nim2020 on July 12, 2020 | | [–]

I just filed one: https://github.com/tauri-apps/tauri/issues/814

zemnmez on July 9, 2020 | | [–]

i havent seen / made one

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact