How to access the Isolation url

[scadra]

When configuring a Content-Security-Policy (CSP) in a WebView, I need to specify allowed frame-src values. However, this becomes challenging when the application (or underlying framework) uses isolation iframes that are created at runtime with dynamically generated, unpredictable URLs. Since these URLs can't be known in advance, it's not feasible to statically whitelist them in the CSP.

I'm working with two WebViews (one visible, one hidden), and I want to enforce CSP to strictly control input and output. However, the CSP ends up blocking the dynamically created isolation iframes, breaking key features like sandboxed rendering or secure embedded execution.

My question is:
Is there any way to determine or resolve the isolation iframe's URL before the WebView is instantiated, so I can apply the correct CSP dynamically?

[FabianLars]

It's a bit ugly but at least it works. You'll have to pull out the generate_context!() call out of build()/run() to get a Context object that also stores info about the pattern. The gist of is would be this:

let context = tauri::generate_context!();

if let tauri::Pattern::Isolation { schema, .. } = context.pattern() {
  dbg!(schema);
}

tauri::Builder::default()
  .build(context) // important to re-use the same context. generate_context should only ever be called once.
  .unwarp();

This schema will be used to construct one of those urls:

• windows and android:
  • http://<schema>.localhost
• windows and android if you enabled https in the webview config:
  • https://<schema>.localhost
• linux/macos/ios
  • <schema>:
  • this^ is the format for frame-src but the actual url will likely start with <schema>://localhost