tauri icon indicating copy to clipboard operation
tauri copied to clipboard
verified publisher icon tauri-apps

[feat] Ability to explicitly disallow js API functions for specific windows

Open matthme opened this issue 3 years ago • 0 comments

Describe the problem

Currently, based on my understanding, tauri only allows "opt-in" for certain js API endpoints via the allowlist. Endpoints that don't have an option in the allowlist are always enabled. And there is no way to have those kind of restricitons be specific to the window that's calling the endpoint.

We have an application where some windows contain code that's not developed by us and we need to restrict their ability to make calls to the backend via tauri's js API. We do need them to be able to use the invoke function of the js API which we can sanitize and restrict to specific commands in the Rust backend but not any of the other js endpoints (or only few selected ones).

Describe the solution you'd like

I would like to be able to explicitly "opt-out", i.e. disallow any js endpoint, ideally on window level.

Alternatives considered

  • Using the isolation hook to reject certain js API calls. This does not work in our case because it currently does not seem to be possible to have different isolation hook behavior based on the window the request is being made from. And it has the drawback that the iframe restricts certain functionalities in some webviews.

Additional context

No response

matthme avatar Jan 04 '23 12:01 matthme