feat: make it secure

package.json

@@ -4,7 +4,7 @@
   "description": "Customizable personal knowledge-base with Github as unlimited storage and blogging platform.",
   "version": "0.3.6",
   "scripts": {
-    "start": "electron-forge start",
+    "start": "NODE_ENV=development electron-forge start",
     "package": "electron-forge package",
     "make": "electron-forge make",
     "lint": "eslint ./src --ext js",

src/services/windows/handleAttachToMenuBar.ts

@@ -36,6 +36,7 @@ export default async function handleAttachToMenuBar(): Promise<Menubar> {
       minHeight: 100,
       minWidth: 250,
       webPreferences: {
+        allowRunningInsecureContent: false,
         nodeIntegration: false,
         enableRemoteModule: true,
         webSecurity: !isDevelopment,

src/services/windows/index.ts

@@ -158,6 +158,7 @@ export class Window implements IWindowService {
         nodeIntegration: false,
         enableRemoteModule: true,
         webSecurity: !isDevelopment,
+        allowRunningInsecureContent: false,
         contextIsolation: true,
         preload: MAIN_WINDOW_PRELOAD_WEBPACK_ENTRY,
         additionalArguments: [windowName, JSON.stringify(meta)],

webpack.plugins.js

@@ -5,6 +5,8 @@ const CspHtmlWebpackPlugin = require('csp-html-webpack-plugin');
 const CircularDependencyPlugin = require('circular-dependency-plugin');
 const CopyPlugin = require('copy-webpack-plugin');
 
+const isDevelopment = process.env.NODE_ENV === 'development';
+
 exports.main = [
   // we only need one instance of TsChecker, it will check main and renderer all together
   // new ForkTsCheckerWebpackPlugin(),
@@ -34,7 +36,7 @@ exports.renderer = [
     {
       'base-uri': ["'self'"],
       'object-src': ["'none'"],
-      'script-src': ["'self' 'unsafe-eval'"],
+      'script-src': [`'self' ${isDevelopment ? "'unsafe-eval'" : ''}`],
       'style-src': ["'self' 'unsafe-inline'"],
       'frame-src': ["'none'"],
       'worker-src': ["'none'"],