fix(core): SHA256 hash for JS scripts CSP on Windows

[lucasfernog]

we hash JS scripts as SHA256 for the Content-Security-Policy (CSP) header. The isolation pattern is broken on Windows due to the hash including carriage return characters, which are not processed when the webview checks the script hash to see if the CSP allows the script.

[github-actions]

Package Changes Through b5ae335

There are 10 changes which include @tauri-apps/api with minor, tauri-cli with minor, tauri-utils with minor, tauri-runtime-wry with minor, tauri-runtime with minor, tauri with minor, tauri-bundler with minor, @tauri-apps/cli with minor, tauri-codegen with patch, tauri-macros with patch

Planned Package Versions

The following package releases are the planned based on the context of changes in this pull request.

package	current	next
@tauri-apps/api	2.8.0	2.9.0
tauri-utils	2.7.0	2.8.0
tauri-bundler	2.6.1	2.7.0
tauri-runtime	2.8.0	2.9.0
tauri-runtime-wry	2.8.1	2.9.0
tauri-codegen	2.4.0	2.4.1
tauri-macros	2.4.0	2.4.1
tauri-plugin	2.4.0	2.4.1
tauri-build	2.4.1	2.4.2
tauri	2.8.5	2.9.0
@tauri-apps/cli	2.8.4	2.9.0
tauri-cli	2.8.4	2.9.0

Add another change file through the GitHub UI by following this link.

---

Read about change files or the docs at github.com/jbolda/covector

[Legend-Master]

Is there a source that we could put a link here?

[lucasfernog]

i tried to find one but couldn't 😂 maybe this was AI hallucination

[Legend-Master]

I think it's better be clear about this, I'm afraid to introduce regressions on other platforms if this is not true for them (although rare, they could also have files ending in CRLF), and if that's a behavior we shouldn't rely on, it could break in the future

[Legend-Master]

Just some information: I was wondering how this worked for the regular inline script in user provided HTML, and from testing, kuchiki::parse_html seems to convert \r\n to \n which seemed to make it work, but for the isolation case, we inserted the js file in inline_isolation directly to the document tree, so it preserved the CRLF

tauri/crates/tauri-codegen/src/context.rs

Lines 47 to 66 in c57e098

	fn inject_script_hashes(document: &NodeRef, key: &AssetKey, csp_hashes: &mut CspHashes) {
	if let Ok(inline_script_elements) = document.select("script:not(:empty)") {
	let mut scripts = Vec::new();
	for inline_script_el in inline_script_elements {
	let script = inline_script_el.as_node().text_contents();
	let mut hasher = Sha256::new();
	hasher.update(&script);
	let hash = hasher.finalize();
	scripts.push(format!(
	"'sha256-{}'",
	base64::engine::general_purpose::STANDARD.encode(hash)
	));
	}
	csp_hashes
	.inline_scripts
	.entry(key.clone().into())
	.or_default()
	.append(&mut scripts);
	}
	}

[lucasfernog]

ohh i was wondering the same - good to know

[lucasfernog]

oh so maybe we should fix inline_isolation instead? :|

[Legend-Master]

No idea, I feel like this is pure magic now, I have no idea in which step, the CRLF became LF (using save as in the webview2 devtools on the index.html response gave me LF while we surely returned one ending in CRLF, don't know if it's the devtools or it's something else) (don't know if the CSP is calculated from something like innerText or from the HTML file directly either), I would say switching to use nouce in inline_isolation is a more realistic fix 😂

[Legend-Master]

I don't know how you even found this out, good job! 😂