feat: add HeaderConfig to SecurityConfig

[39zde]

Feature

Adds a new configuration option for the tauri configuration file. This being headers in the app>security. Headers defined the are added to every http response from tauri to the web view. This doesn't include IPC messages and error responses. The header names are limited to:

• Access-Control-Allow-Credentials
• Access-Control-Allow-Headers
• Access-Control-Allow-Methods
• Access-Control-Expose-Headers
• Access-Control-Max-Age
• Cross-Origin-Embedder-Policy
• Cross-Origin-Opener-Policy
• Cross-Origin-Resource-Policy
• Permissions-Policy
• Timing-Allow-Origin
• X-Content-Type-Options
• Tauri-Custom-Header

I primarily wanted to use SharedArrayBuffer,
which requires cross-origin isolation. Since there was no effort in adding more headers I looked for the ones, that would make the most sense.
The Content-Security-Policy(CSP) remains untouched. I tried to implement a unified way to define headers, including the CSP, but to no avail.
Since it's a very dynamic header, with grave implications for security, it's better to remain untouched.

Example configuration

{
 //..
  app:{
    //..
    security: {
      headers: {
        "Cross-Origin-Opener-Policy": "same-origin",
        "Cross-Origin-Embedder-Policy": "require-corp",
        "Timing-Allow-Origin": [
          "https://developer.mozilla.org",
          "https://example.com",
        ],
        "Access-Control-Expose-Headers": "Tauri-Custom-Header",
        "Tauri-Custom-Header": {
          "key1": "'value1' 'value2'",
          "key2": "'value3'"
        }
      },
      csp: "default-src 'self'; connect-src ipc: http://ipc.localhost",
    }
    //..
  }
 //..
}

In this example Cross-Origin-Opener-Policy and Cross-Origin-Embedder-Policy are set to allow for the use of SharedArrayBuffer.
The result is, that those headers are then set on every response sent via the get_response function in crates/tauri/src/protocol/tauri.rs.
The Content-Security-Policy header is defined separately, because it is also handled separately.

For the helloworld example, this config translates into those response headers:

access-control-allow-origin:  http://tauri.localhost
access-control-expose-headers: Tauri-Custom-Header
content-security-policy: default-src 'self'; connect-src ipc: http://ipc.localhost; script-src 'self' 'sha256-Wjjrs6qinmnr+tOry8x8PPwI77eGpUFR3EEGZktjJNs='
content-type: text/html
cross-origin-embedder-policy: require-corp
cross-origin-opener-policy: same-origin
tauri-custom-header: key1 'value1' 'value2'; key2 'value3'
timing-allow-origin: https://developer.mozilla.org, https://example.com

Since the resulting header values are always 'string-like'. So depending on the what data type the HeaderSource is, they need to be converted.

• String(JS/Rust): stay the same for the resulting header value
• Array(JS)/Vec\<String\>(Rust): Item are joined by ", " for the resulting header value
• Object(JS)/ Hashmap\<String,String\>(Rust): Items are composed from: key + space + value. Item are then joined by "; " for the resulting header value

[github-actions]

Package Changes Through b58ae8b

There are 9 changes which include tauri-utils with minor, tauri with minor, @tauri-apps/api with minor, tauri-bundler with minor, tauri-cli with minor, @tauri-apps/cli with minor, tauri-runtime-wry with minor, tauri-macros with patch, tauri-runtime with minor

Planned Package Versions

The following package releases are the planned based on the context of changes in this pull request.

package	current	next
@tauri-apps/api	2.0.3	2.1.0
tauri-utils	2.0.2	2.1.0
tauri-bundler	2.0.4	2.1.0
tauri-runtime	2.1.1	2.2.0
tauri-runtime-wry	2.1.2	2.2.0
tauri-codegen	2.0.2	2.0.3
tauri-macros	2.0.2	2.0.3
tauri-plugin	2.0.2	2.0.3
tauri-build	2.0.2	2.0.3
tauri	2.0.6	2.1.0
@tauri-apps/cli	2.0.4	2.1.0
tauri-cli	2.0.4	2.1.0

Add another change file through the GitHub UI by following this link.

---

Read about change files or the docs at github.com/jbolda/covector

[amrbashir]

Could you please revert the changes where you moved types from config.rs to config/security.rs so the relevant PRs could be reviewed separately, after merge, your can open another PR to refactor things into different files.

[amrbashir]

LGTM, just need approval of @tweidinger

Note you need to run cargo b -p tauri-schema-generator to fix CI

[tweidinger]

Looks good to me.