I'm currently working on an Electron application that works alongside a detatched Node.js process. The said process exposes its API on localhost which the app later has to talk to. It's in a way a proxy between the app and the infrastructure.

The problem is that my current CSP settings disallow the renderer process from performing any kind of requests to the API, I've been searching for solutions for while now and the only one I stumbled upon is making API calls in the main process and then sending results through IPC back to the renderer.

So in a nutshell - are there any content-security-policy settings that would restrict all resources to be loaded only as if I was using default-src: 'self' except for localhost on a given port? I know how to allow other domains such as for CDNs, but my question is more about if I can block everything except for API calls on the local machine.

CodePudding user response：

If you only want to allow API calls on the local machine you can set your policy to "default-src 'self'; connect-src localhost;", though you may have to specify scheme if it is different from the current source and port if it is not default.