Conversation
gzdunek
added
no-changelog
ravicious
approved these changes
May 19, 2025
ravicious
reviewed
May 19, 2025
| img-src 'self' data: blob:; | ||
| object-src 'none'; | ||
| font-src 'self' data:; | ||
| script-src 'self' ${scriptEval}; |
Member
There was a problem hiding this comment.
Do we need 'self' though in the packaged app?
Member
There was a problem hiding this comment.
I was going off the fact that it wasn't previously present, but in that scenario I believe it was covered by default-src 'self'. I wonder if it's needed though since technically we read the script from the disk in the packaged app, no?
Contributor
Author
There was a problem hiding this comment.
It's needed, the renderer assets won't load without it:
index.html:1 Refused to load the script 'file:///Volumes/Teleport%20Connect%201.0.0-dev-arm64/Teleport%20Connect.app/Contents/Resources/app.asar/build/app/renderer/assets/index-p_BQNgK4.js' because it violates the following Content Security Policy directive: "script-src 'wasm-unsafe-eval'". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.
I believe default-src 'self' doesn't work when we explicitly set script-src.
ryanclark
approved these changes
May 19, 2025
github-merge-queue
Bot
removed this pull request from the merge queue due to no response for status checks
Contributor
gzdunek
added a commit
that referenced
this pull request
May 19, 2025
(cherry picked from commit ee8be4d)
github-merge-queue Bot
pushed a commit
that referenced
this pull request
Jun 2, 2025
…54926) * Show Windows desktops in Connect (#53955) * Show Windows desktops in Connect * Use `net.SplitHostPort` * Use underscore in URIs * Omit the default RDP port before displaying item in the UI (cherry picked from commit 81af813) * Add desktop session-related ACLs to Connect (#54031) * Add desktop session-related ACLs to Connect * Add new fields to `makeAcl` (cherry picked from commit aba0de0) * Add latency detector for desktop sessions (#52827) * wip * add ping message and latency from desktop side * version * Fix backward compatibility * godocs * formatting * fix imports * formatting * formatting * log and gci * lint * Apply tooltip on the icon directly, instead of on the Menu component This fixes a problem where onMouseLeave in HoverTooltip wasn't called and the tooltip didn't disappear. * Use consistent spacing between top bar elements * updates from origin * e * e * lint * rework UI after merge * Rename fields in backend * prettier * Update web/packages/shared/components/DesktopSession/TopBar.tsx Co-authored-by: Grzegorz Zdunek <gzdunek@users.noreply.github.com> * review comments * fix ui * add env var to disable windows desktop "ping" * review comment * review comment * Update lib/web/desktop.go Co-authored-by: Zac Bergquist <zac.bergquist@goteleport.com> * Refactor latency monitoring * fix spelling * remove monitorSessionLatency * gci * review comment * review comment * Update RFD and version * fix gaps --------- Co-authored-by: Zac Bergquist <zac.bergquist@goteleport.com> Co-authored-by: Grzegorz Zdunek <grzegorz.zdunek@goteleport.com> Co-authored-by: Grzegorz Zdunek <gzdunek@users.noreply.github.com> (cherry picked from commit 1aba870) * Abstract directory sharing file system (#54545) * Extract an interface to interact with a shared directory file system Some methods were renamed to more closely follow common file system naming conventions. * Use the new interface in the TDP client * Provide a browser file system as the shared directory access implementation (cherry picked from commit d3fbeeb) * Support desktop access in Connect (#54373) * Extract reusable function for establishing connections to Windows Desktop Service * Add `ProxyWindowsDesktopSession` proto * Implement `ProxyWindowsDesktopSession` * Enable fetching desktops and desktop services in remote proxy cache * Implement dialing windows desktop * Implement client * Support Windows desktop certs in tsh * Fix incorrect `windowsDesktop` URI * Add proto for `ConnectToDesktop` * Implement `ConnectToDesktop` * Do not log requests/responses for `ConnectToDesktop` RPC * Add boilerplate for `DocumentDesktopSession` * Open a desktop connection * Relax ArrayBuffer type passed to encode methods, ignore tshd abort errors In tshd stream, the buffer is of type `ArrayBufferLike` (which is `ArrayBuffer` & `SharedArrayBuffer`). To allow assigning it to the type in our TDP code, we make it more general. * Ensure WASM IronRDP code is initialized only once * Use `utils.ShuffleVisit` * Improve stream cancellation handling * Leave a TODO about ListWindowsDesktops * Do not return empty data slice * Provide non-nil src and dest addresses to `streamutils.NewConn()` * Do not emit an empty message to indicate a successful connection * Fix test * Simplify code * Add missing `WindowsDesktopTLSCredentials` initialization * Require that the first message is only a dial request and the subsequent ones are only data * Add explicit `stop()` check * Hold cluster name and desktop name in a struct for the map key * Do not return early on non-connection problem errors * Handle io.EOF error specifically in BidiStreamingClient.Send instead of in `tlsConn.HandshakeContext` * Extract a common function to proxy TDP connections * Improve proto comments and connection setup * Add comments and logs * Lint * Explain why there's a special handling for abort error * Bring back the original `proxyWebsocketConn` behavior when it comes to error handling * Post merge fixes * Adjust proxying TDP connection to changes from master * Lint * Channels improvements * Post merge fixes (cherry picked from commit 980ce61) * Show desktops in connection tracker (#54668) * Make supporting non-Windows desktops easier in the future * Add connection boilerplate for desktop connections * Show connected/disconnected status in the connection tracker * Make sure that ACLs were fetched before reading from them ACLs are fetched asynchronously. * Do not crash when reading unsupported connection from app_state.json * `gwDoc` -> `doc` * `windowsDesktops` -> `windows_desktops` (cherry picked from commit 9f49376) * Implement shared directory file system in tsh daemon (#54662) * Implement shared directory file system in tshd * Remove `Open` method * Do not use `os.IsNotExist` * Read bytes into `[]byte` parameter * Correctly use `t.Helper()` * Add missing `trace.Wrap` * Rename receivers * Handle errors from `file.Close()` * Use named returns to return close error * Improve error handling (cherry picked from commit b3e9199) * Support directory sharing in Connect (#54663) * Register directory access when starting a desktop session * Add RPC to attach a directory to desktop session * Do not allow `attachDirectoryToDesktopSession` to be called from the renderer process * Open the directory picker and send the selected path to tshd * Intercept file system events coming from the server and handle them * Disallow file system messages to be sent from the renderer * Refactor dir sharing * `AttachDirectoryToDesktopSession` -> `SetSharedDirectoryForDesktopSession` * Improve comments * Small fixes * Add missing defer for `s.dirAccessMu.RUnlock()` * `TestOpenSharedDirectory` -> `TestNewDirectoryAccess` * Add a comment for JS file system handlers * `make grpc` --------- Co-authored-by: Rafał Cieślak <rafal.cieslak@goteleport.com> (cherry picked from commit 45428c0) * Simplify code around latency detection for desktop (#54795) * Simplify code around latency detection for desktop * cleanup * Use tdp.Conn for client and server * Add check for context cancellation * Cleanup * remove context check * remove context check * remove unused field * use sync.OnceFunc, error on unexpected ping * err message (cherry picked from commit 28f78c3) * Show `desktop access requires Teleport Proxy 17.5.0 or higher` when Proxy returns NotImplementedError * Add `wasm-unsafe-eval` to Connect CSP (#54916) (cherry picked from commit ee8be4d) * Ensure all errors thrown by `TdpClient` are instances of `Error` class (#54877) * Add a utility function to convert any input to an Error instance * Add types for TdpClient events * Always throw Error from `adaptWebSocketToTdpTransport` * Improve getting the error message in `getErrMessage` * Move `isAbortError` to error.ts * Remove unused `tshd/errors.ts` * Handle `JSON.stringify` error, add `cause` to thrown errors * Remove unnecessary `async` * Remove `error.toString` from the callsites * Handle `err` being undefined (cherry picked from commit 4d28408) --------- Co-authored-by: Przemko Robakowski <przemko.robakowski@goteleport.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
To initialize a WASM code, the content security policy must be extended with
wasm-unsafe-eval, otherwise WASM won't work:This is done in Web UI too.
I haven't noticed it initially because the app in dev mode sets 'unsafe-eval' so everything worked.