diff --git a/desktop/main.js b/desktop/main.js index 05361d0b2fdb..b2ad339d9647 100644 --- a/desktop/main.js +++ b/desktop/main.js @@ -47,6 +47,7 @@ _.assign(console, log.functions); // until it detects that it has been upgraded to the correct version. const EXPECTED_UPDATE_VERSION_FLAG = '--expected-update-version'; +const APP_DOMAIN = __DEV__ ? `http://localhost:${port}` : 'app://-'; let expectedUpdateVersion; for (let i = 0; i < process.argv.length; i++) { @@ -159,18 +160,19 @@ const mainWindow = (() => { details.requestHeaders.referer = CONFIG.EXPENSIFY.URL_EXPENSIFY_CASH; callback({requestHeaders: details.requestHeaders}); }); - - // Modify access-control-allow-origin header for the response - webRequest.onHeadersReceived(validDestinationFilters, (details, callback) => { - details.responseHeaders['access-control-allow-origin'] = ['app://-']; - callback({responseHeaders: details.responseHeaders}); - }); - } else { - webRequest.onHeadersReceived(validDestinationFilters, (details, callback) => { - details.responseHeaders['access-control-allow-origin'] = [`http://localhost:${process.env.PORT}`]; - callback({responseHeaders: details.responseHeaders}); - }); } + + // Modify access-control-allow-origin header and CSP for the response + webRequest.onHeadersReceived(validDestinationFilters, (details, callback) => { + details.responseHeaders['access-control-allow-origin'] = [APP_DOMAIN]; + if (details.responseHeaders['content-security-policy']) { + details.responseHeaders['content-security-policy'] = _.map( + details.responseHeaders['content-security-policy'], + value => (value.startsWith('frame-ancestors') ? `${value} ${APP_DOMAIN}` : value), + ); + } + callback({responseHeaders: details.responseHeaders}); + }); /* eslint-enable */ // Prod and staging overwrite the app name in the electron-builder config, so only update it here for dev