diff --git a/astro.config.mjs b/astro.config.mjs index 6584979310..ea169dc46c 100644 --- a/astro.config.mjs +++ b/astro.config.mjs @@ -161,6 +161,10 @@ export default defineConfig({ { label: 'References', items: [ + { + label: 'List of References', + link: '/references', + }, { label: 'Tauri Configuration', link: '2/reference/config', @@ -238,6 +242,26 @@ export default defineConfig({ '/v1/guides/development/updating-dependencies', '/guides/develop/updating-dependencies' ), + // v1 /references + ...i18nRedirect('/v1/references', '/concepts'), + ...i18nRedirect('/v1/references/architecture', '/concepts/architecture'), + ...i18nRedirect('/v1/references/architecture/process-model', '/concepts/process-model'), + ...i18nRedirect('/v1/references/architecture/security', '/concepts/tauri-security'), + ...i18nRedirect( + '/v1/references/architecture/inter-process-communication', + '/concepts/inter-process-communication' + ), + ...i18nRedirect( + '/v1/references/architecture/inter-process-communication/brownfield', + '/concepts/inter-process-communication/brownfield' + ), + ...i18nRedirect( + '/v1/references/architecture/inter-process-communication/isolation', + '/concepts/inter-process-communication/isolation' + ), + ...i18nRedirect('/v1/references/security', '/concepts/development-security'), + ...i18nRedirect('/v1/references/configuration-files', '/references/configuration-files'), + ...i18nRedirect('/v1/references/webview-versions', '/references/webview-versions'), // Decommissioned locales '/ko/[...slug]': '/[...slug]', '/it/[...slug]': '/[...slug]', diff --git a/src/assets/concepts/architecture.svg b/src/assets/concepts/architecture.svg new file mode 100644 index 0000000000..c60aa331a7 --- /dev/null +++ b/src/assets/concepts/architecture.svg @@ -0,0 +1 @@ +
Upstream
Core
WRY
TAO
tauri
tauri-runtime
tauri-macros
tauri-utils
tauri-build
tauri-codegen
tauri-runtime-wry
 \ No newline at end of file diff --git a/src/assets/concepts/commands.svg b/src/assets/concepts/commands.svg new file mode 100644 index 0000000000..1aec609551 --- /dev/null +++ b/src/assets/concepts/commands.svg @@ -0,0 +1 @@ +Tauri CoreFrontendTauri CoreFrontendPerform computation, write to file system, etc.IPC requestResponse \ No newline at end of file diff --git a/src/assets/concepts/events.svg b/src/assets/concepts/events.svg new file mode 100644 index 0000000000..976f4668d1 --- /dev/null +++ b/src/assets/concepts/events.svg @@ -0,0 +1 @@ +Tauri CoreFrontendTauri CoreFrontendEvent \ No newline at end of file diff --git a/src/assets/concepts/process-model.svg b/src/assets/concepts/process-model.svg new file mode 100644 index 0000000000..da16546557 --- /dev/null +++ b/src/assets/concepts/process-model.svg @@ -0,0 +1 @@ +
Events & Commands
Events & Commands
Events & Commands
Core
WebView
WebView
WebView
 \ No newline at end of file diff --git a/src/content/docs/concepts/_recipes/about-recipes.md b/src/content/docs/concepts/_recipes/about-recipes.md new file mode 100644 index 0000000000..4bf700e2fb --- /dev/null +++ b/src/content/docs/concepts/_recipes/about-recipes.md @@ -0,0 +1,12 @@ +--- +id: about-recipes +title: 'A word on recipes' +sidebar_label: A word on recipes +draft: true +--- + +Tauri recipes are descriptions of use cases that are entirely configurable within the `src-tauri/tauri.conf.json` file. These are not the limits of what Tauri can do, and there are probably more out there. If you discover one, please get in touch and help us update this collection! + +If you haven't read about the general design of Tauri, then it would make the most sense for you to visit the [Quick Start] guide and become familiar with the basic architecture and terminology used in these recipes. + +[quick start]: ../../../guides/getting-started/setup/README.mdx diff --git a/src/content/docs/concepts/_recipes/bridge.md b/src/content/docs/concepts/_recipes/bridge.md new file mode 100644 index 0000000000..8f4a515db9 --- /dev/null +++ b/src/content/docs/concepts/_recipes/bridge.md @@ -0,0 +1,181 @@ +--- +title: Bridge +draft: true +--- + +import Rater from '@theme/Rater' +import useBaseUrl from '@docusaurus/useBaseUrl' + +
+
+ + + + + + + + + + + + + + + + + +
Ease of Use
Extensibility
Performance
Security
+
+
+ Bridge +
+
+ Pros: + + Cons: + +
+
+ +## Description + +The Bridge recipe is a secure pattern where messages are passed between brokers via an implicit bridge using the API. It isolates functionality to the specific scope and passes messages instead of functionality. + +## Diagram + +```mermaid +graph TD + H==>F + subgraph WEBVIEW + F-.-E + end + D-->E + E-->D + B-->D + D-->B + subgraph RUST + A==>H + A-->B + B-.-C + B-.-G + end + A[Binary] + B{Rust Broker} + C[Subprocess 2] + G[Subprocess 1] + D(( API BRIDGE )) + E{JS Broker} + F[Window] + H{Bootstrap} + class D apibridge + class RUST rust + class WEBVIEW webview +``` + +## Configuration + +Here's what you need to add to your tauri.conf.json file: + +```json +{ + "tauri": { + "allowlist": { + "all": false, + "clipboard": { + "all": false, + "readText": false, + "writeText": false + }, + "dialog": { + "all": false, + "ask": false, + "confirm": false, + "message": false, + "open": false, + "save": false + }, + "fs": { + "all": false, + "copyFile": false, + "createDir": false, + "readDir": false, + "readFile": false, + "removeDir": false, + "removeFile": false, + "renameFile": false, + "scope": [], + "writeFile": false + }, + "globalShortcut": { + "all": false + }, + "http": { + "all": false, + "request": false, + "scope": [] + }, + "notification": { + "all": false + }, + "os": { + "all": false + }, + "path": { + "all": false + }, + "process": { + "all": false, + "exit": false, + "relaunch": false, + "relaunchDangerousAllowSymlinkMacos": false + }, + "protocol": { + "all": false, + "asset": false, + "assetScope": [] + }, + "shell": { + "all": false, + "execute": false, + "open": false, + "scope": [], + "sidecar": false + }, + "window": { + "all": false, + "center": false, + "close": false, + "create": false, + "hide": false, + "maximize": false, + "minimize": false, + "print": false, + "requestUserAttention": false, + "setAlwaysOnTop": false, + "setDecorations": false, + "setFocus": false, + "setFullscreen": false, + "setIcon": false, + "setMaxSize": false, + "setMinSize": false, + "setPosition": false, + "setResizable": false, + "setSize": false, + "setSkipTaskbar": false, + "setTitle": false, + "show": false, + "startDragging": false, + "unmaximize": false, + "unminimize": false + } + } + } +} +``` diff --git a/src/content/docs/concepts/_recipes/cloudbridge.md b/src/content/docs/concepts/_recipes/cloudbridge.md new file mode 100644 index 0000000000..4afce6b112 --- /dev/null +++ b/src/content/docs/concepts/_recipes/cloudbridge.md @@ -0,0 +1,102 @@ +--- +title: Cloudbridge +draft: true +--- + +import Rater from '@theme/Rater' +import useBaseUrl from '@docusaurus/useBaseUrl' + +
+
+ + + + + + + + + + + + + + + + + +
Ease of Use
Extensibility
Performance
Security
+
+
+ Cloudbridge +
+
+ Pros: + + Cons: + +
+
+ +## Description + +The Cloudbridge recipe combines the flexibility of a localhost and the security of the bridge. With so many features, it can be easy to get lost. + +## Diagram + +```mermaid +graph TD + H==>F2 + H==>D2 + D2-->F2 + F2-->D2 + B-->D + D-->B + E2-->D + D-->E2 + subgraph WEBVIEW + F2 + E2 + end + subgraph SERVER + D2 + E-->D2 + end + subgraph RUST + A==>H + A-->B + B-.-C + end + A[Binary] + B{Rust Broker} + C[Subprocess] + D(( API BRIDGE )) + E{JS Broker} + D2(( localhost )) + E[bundled resources] + E2{JS Broker} + F2[Window] + H{Bootstrap} + class D apibridge + class RUST rust + class WEBVIEW webview + class SERVER server +``` + +## Configuration + +Here's what you need to add to your tauri.conf.json file: + +```json +"tauri": { + "allowlist": { + "all": true // enable entire API + } +} +``` diff --git a/src/content/docs/concepts/_recipes/cloudish.md b/src/content/docs/concepts/_recipes/cloudish.md new file mode 100644 index 0000000000..62e5f8709f --- /dev/null +++ b/src/content/docs/concepts/_recipes/cloudish.md @@ -0,0 +1,90 @@ +--- +title: Cloudish +draft: true +--- + +import Rater from '@theme/Rater' +import useBaseUrl from '@docusaurus/useBaseUrl' + +
+
+ + + + + + + + + + + + + + + + + +
Ease of Use
Extensibility
Performance
Security
+
+
+ Cloudish +
+
+ Pros: + + Cons: + +
+
+ +## Description + +The Cloudish recipe is a pattern for maximum flexibility and app performance. It uses a localhost server, which means that your app will technically be available to other processes, like browsers and potentially other devices on the network. All of your assets are baked into the binary but served as if they were distinct files. + +## Diagram + +```mermaid +graph TD + H==>F + H==>D + D-->F + F-->D + subgraph RUST + A==>H + end + subgraph WEBVIEW + F + end + subgraph SERVER + D + E-->D + end + A[Binary] + D(( localhost )) + E[bundled resources] + F[Window] + H{Bootstrap} + class RUST rust + class WEBVIEW webview + class SERVER server +``` + +## Configuration + +Here's what you need to add to your tauri.conf.json file: + +```json +"tauri": { + "allowlist": { + "all": false // disable entire API + } +} + +``` diff --git a/src/content/docs/concepts/_recipes/glui.md b/src/content/docs/concepts/_recipes/glui.md new file mode 100644 index 0000000000..ba32601767 --- /dev/null +++ b/src/content/docs/concepts/_recipes/glui.md @@ -0,0 +1,91 @@ +--- +title: GLUI +draft: true +--- + +import useBaseUrl from '@docusaurus/useBaseUrl' + +:::warning +This pattern is not available for now. +::: + +import Rater from '@theme/Rater' + +
+
+ + + + + + + + + + + + + + + + + +
Ease of Use
Extensibility
Performance
Security
+
+
+ GLUI +
+
+ Pros: + + Cons: + +
+
+ +## Description + +The GLUI is a research pattern that we will use internally to test approaches using a GLUTIN window. We’re not sure yet if it will make the final cut as a bona fide alternative to WebView, although early tests with transparent and multiwindow are exciting. + +## Diagram + +```mermaid +graph TD + A==>H + H==>G + A-->D + D-->G + subgraph GLUTIN + G + end + subgraph RUST + A + end + A[Binary] + D(Framebuffer) + G[GL Window] + H{Bootstrap} + class GLUTIN other + class RUST rust +``` + +## Configuration + +Here's what you need to add to your tauri.conf.json file: + +```json +"tauri": { + "allowlist": { // all API endpoints are default false + "all": false, // disable the api + }, + "window": { // not yet normative + "glutin": true, + "webview": false + } +} +``` diff --git a/src/content/docs/concepts/_recipes/hermit.md b/src/content/docs/concepts/_recipes/hermit.md new file mode 100644 index 0000000000..252534b7d4 --- /dev/null +++ b/src/content/docs/concepts/_recipes/hermit.md @@ -0,0 +1,80 @@ +--- +title: Hermit +draft: true +--- + +import Rater from '@theme/Rater' +import useBaseUrl from '@docusaurus/useBaseUrl' + +
+
+ + + + + + + + + + + + + + + + + +
Ease of Use
Extensibility
Performance
Security
+
+
+ Hermit +
+
+ Pros: + + Cons: + +
+
+ +## Description + +The Hermit recipe is a pattern for ultimate application isolation where all logic is self-contained in the Window and the binary exists merely to bootstrap the Window. There is no communication back to Rust from the Window, there is no localhost server, and the Window has no access to any remote resources. The Hermit is great for interactive Kiosk Mode and standalone HTML-based games. + +## Diagram + +```mermaid +graph LR + A==>H + H==>F + subgraph WEBVIEW + F + end + subgraph RUST + A + end + A[fa:fa-cog Binary ] + F[fa:fa-window-maximize Window] + H{Bootstrap} + class RUST rust + class WEBVIEW webview +``` + +## Configuration + +Here's what you need to add to your tauri.conf.json file: + +```json +"tauri": { + "allowlist": { + "all": false, // disable and tree-shake all api functions + } +} +``` diff --git a/src/content/docs/concepts/_recipes/lockdown.md b/src/content/docs/concepts/_recipes/lockdown.md new file mode 100644 index 0000000000..6c6d4fec33 --- /dev/null +++ b/src/content/docs/concepts/_recipes/lockdown.md @@ -0,0 +1,82 @@ +--- +title: Lockdown +draft: true +--- + +import Rater from '@theme/Rater' +import useBaseUrl from '@docusaurus/useBaseUrl' + +
+
+ + + + + + + + + + + + + + + + + +
Ease of Use
Extensibility
Performance
Security
+
+
+ Lockdown +
+
+ Pros: + + Cons: + +
+
+ +## Description + +The Lockdown recipe is a minimal usage of the [Bridge pattern](./bridge), which only allows interaction between Rust and the Window via expiring JS Promise Closures that are injected into the Window by Rust and nulled as part of the callback. + +## Diagram + +```mermaid +graph TD + H==>F + G-.->B + B-->G + subgraph WEBVIEW + G-->F + end + subgraph RUST + A-->B + A==>H + end + A[Binary] + B[API:Event] + F[Window] + G((Promise Closure)) + H{Bootstrap} + class RUST rust + class WEBVIEW webview +``` + +## Configuration + +Here's what you need to add to your tauri.conf.json file: + +```json +"tauri": { + "allowlist": {} // all API endpoints are default false +} +``` diff --git a/src/content/docs/concepts/_recipes/multiwin.md b/src/content/docs/concepts/_recipes/multiwin.md new file mode 100644 index 0000000000..4d98562d8f --- /dev/null +++ b/src/content/docs/concepts/_recipes/multiwin.md @@ -0,0 +1,91 @@ +--- +title: Multiwin +draft: true +--- + +import useBaseUrl from '@docusaurus/useBaseUrl' +import Rater from '@theme/Rater' + +
+
+ + + + + + + + + + + + + + + + + +
Ease of Use
Extensibility
Performance
Security
+
+
+ Multiwin +
+
+ Pros: + + Cons: + +
+
+ +## Description + +The Multiwin recipe will allow you to have multiple windows. + +## Diagram + +```mermaid +graph LR + A==>H + H==>F + H==>G + subgraph WEBVIEW + F + end + subgraph WINIT + G + end + subgraph RUST + A + end + A[Binary] + F[Window] + G[Window] + H{Bootstrap} + class WINIT other + class RUST rust + class WEBVIEW webview +``` + +## Configuration + +Here's what you need to add to your tauri.conf.json file: + +```json +"tauri": { + "allowlist": {}, // all API endpoints are default false + "windows": [{ + "title": "Window1", + "label": "main", + }, { + "title": "Splash", + "label": "splashscreen" + }] +} + +``` diff --git a/src/content/docs/concepts/architecture.mdx b/src/content/docs/concepts/architecture.mdx new file mode 100644 index 0000000000..b0d37f1a9f --- /dev/null +++ b/src/content/docs/concepts/architecture.mdx @@ -0,0 +1,152 @@ +--- +title: Tauri Architecture +--- + +## Introduction + +Tauri is a polyglot and generic toolkit that is very composable and allows engineers to make a wide variety of applications. It is used for building applications for desktop computers using a combination of Rust tools and HTML rendered in a Webview. Apps built with Tauri can ship with any number of pieces of an optional JS API and Rust API so that webviews can control the system via message passing. Developers can extend the default API with their own functionality and bridge the Webview and Rust-based backend easily. + +Tauri apps can have [custom menus](../../guides/features/menu) and [tray-type interfaces](../../guides/features/system-tray). They can be [updated](../../guides/distribution/updater) and are managed by the user's operating system as expected. They are very small because they use the OS's webview. They do not ship a runtime since the final binary is compiled from Rust. This makes the [reversing of Tauri apps not a trivial task](./security). + +### What Tauri is Not + +Tauri is not a lightweight kernel wrapper. Instead, it directly uses [WRY](#wry) and [TAO](#tao) to do the heavy lifting in making system calls to the OS. + +Tauri is not a VM or virtualized environment. Instead, it is an application toolkit that allows making Webview OS applications. + +## Core Ecosystem + +![Tauri Architecture Diagram](../../../assets/concepts/architecture.svg) + +### tauri + +[View on GitHub](https://github.com/tauri-apps/tauri/tree/dev/core/tauri) + +This is the major crate that holds everything together. It brings the runtimes, macros, utilities and API into one final product. It reads the [`tauri.conf.json`](../../api/config) file at compile time to bring in features and undertake the actual configuration of the app (and even the `Cargo.toml` file in the project's folder). It handles script injection (for polyfills / prototype revision) at runtime, hosts the API for systems interaction, and even manages the updating process. + +### tauri-runtime + +[View on GitHub](https://github.com/tauri-apps/tauri/tree/dev/core/tauri-runtime) + +The glue layer between Tauri itself and lower-level webview libraries. + +### tauri-macros + +[View on GitHub](https://github.com/tauri-apps/tauri/tree/dev/core/tauri-macros) + +Creates macros for the context, handler, and commands by leveraging the [`tauri-codegen`](https://github.com/tauri-apps/tauri/tree/dev/core/tauri-codegen) crate. + +### tauri-utils + +[View on GitHub](https://github.com/tauri-apps/tauri/tree/dev/core/tauri-utils) + +Common code that is reused in many places and offers useful utilities like parsing configuration files, detecting platform triples, injecting the CSP, and managing assets. + +### tauri-build + +[View on GitHub](https://github.com/tauri-apps/tauri/tree/dev/core/tauri-build) + +Applies the macros at build-time to rig some special features needed by `cargo`. + +### tauri-codegen + +[View on GitHub](https://github.com/tauri-apps/tauri/tree/dev/core/tauri-codegen) + +Embeds, hashes, and compresses assets, including icons for the app as well as the system tray. Parses [`tauri.conf.json`](../../api/config.md) at compile time and generates the Config struct. + +### tauri-runtime-wry + +[View on GitHub](https://github.com/tauri-apps/tauri/tree/dev/core/tauri-runtime-wry) + +This crate opens up direct systems-level interactions specifically for WRY, such as printing, monitor detection, and other windowing-related tasks. + +## Tauri Tooling + +### API (JavaScript / TypeScript) + +[View on GitHub](https://github.com/tauri-apps/tauri/tree/dev/tooling/api) + +A typescript library that creates `cjs` and `esm` JavaScript endpoints for you to import into your frontend framework so that the Webview can call and listen to backend activity. Also ships in pure typescript, because for some frameworks this is more optimal. It uses the message passing of webviews to their hosts. + +### Bundler (Rust / Shell) + +[View on GitHub](https://github.com/tauri-apps/tauri/tree/dev/tooling/bundler) + +A library that builds a Tauri app for the platform it detects or is told. Currently supports macOS, Windows and Linux - but in the near future will support mobile platforms as well. May be used outside of Tauri projects. + +### cli.rs (Rust) + +[View on GitHub](https://github.com/tauri-apps/tauri/tree/dev/tooling/cli) + +This Rust executable provides the full interface to all of the required activities for which the CLI is required. It runs on macOS, Windows, and Linux. + +### cli.js (JavaScript) + +[View on GitHub](https://github.com/tauri-apps/tauri/tree/dev/tooling/cli/node) + +Wrapper around [`cli.rs`](https://github.com/tauri-apps/tauri/blob/dev/tooling/cli) using [`napi-rs`](https://github.com/napi-rs/napi-rs) to produce npm packages for each platform. + +### create-tauri-app (JavaScript) + +[View on GitHub](https://github.com/tauri-apps/create-tauri-app) + +A toolkit that will enable engineering teams to rapidly scaffold out a new `tauri-apps` project using the frontend framework of their choice (as long as it has been configured). + +## Upstream Crates + +The Tauri-Apps organization maintains two "upstream" crates from Tauri, namely TAO for creating and managing application windows, and WRY for interfacing with the Webview that lives within the window. + +### TAO + +[View on GitHub](https://github.com/tauri-apps/tao) + +Cross-platform application window creation library in Rust that supports all major platforms like Windows, macOS, Linux, iOS and Android. Written in Rust, it is a fork of [winit](https://github.com/rust-windowing/winit) that we have extended for our own needs - like menu bar and system tray. + +### WRY + +[View on GitHub](https://github.com/tauri-apps/wry) + +WRY is a cross-platform WebView rendering library in Rust that supports all major desktop platforms like Windows, macOS, and Linux. +Tauri uses WRY as the abstract layer responsible to determine which webview is used (and how interactions are made). + +## Additional Tooling + +### tauri-action + +[View on GitHub](https://github.com/tauri-apps/tauri-action) + +GitHub workflow that builds Tauri binaries for all platforms. Even allows creating a (very basic) Tauri app even if Tauri is not set up. + +### tauri-vscode + +[View on GitHub](https://github.com/tauri-apps/tauri-vscode) + +This project enhances the Visual Studio Code interface with several nice-to-have features. + +### vue-cli-plugin-tauri + +[View on GitHub](https://github.com/tauri-apps/vue-cli-plugin-tauri) + +Allows you to very quickly install Tauri in a vue-cli project. + +## Plugins + +[Tauri Plugin Guide](../../guides/features/plugin) + +Generally speaking, plugins are authored by third parties (even though there may be official, supported plugins). A plugin generally does 3 things: + +1. Enables Rust code to do "something". +2. Provides interface glue to make it easy to integrate into an app. +3. Provides a JavaScript API for interfacing with the Rust code. + +Here are some examples of Tauri Plugins: + +- [tauri-plugin-sql](https://github.com/tauri-apps/tauri-plugin-sql) +- [tauri-plugin-stronghold](https://github.com/tauri-apps/tauri-plugin-stronghold) +- [tauri-plugin-authenticator](https://github.com/tauri-apps/tauri-plugin-authenticator) + +## License + +Tauri itself is licensed under MIT or Apache-2.0. If you repackage it and modify any source code, it is your responsibility to verify that you are complying with all upstream licenses. Tauri is provided AS-IS with no explicit claim for suitability for any purpose. + +Here you may peruse our [Software Bill of Materials](https://app.fossa.com/projects/git%2Bgithub.com%2Ftauri-apps%2Ftauri). diff --git a/src/content/docs/concepts/development-security.md b/src/content/docs/concepts/development-security.md new file mode 100644 index 0000000000..30e14f0968 --- /dev/null +++ b/src/content/docs/concepts/development-security.md @@ -0,0 +1,80 @@ +--- +title: Development Security +description: Learn about the steps you can take to help your app be as secure as possible. +--- + +Whether you like it or not, today's applications live in operating systems that can be (and regularly are) compromised by any number of attacks. When your insecure application is a gateway for such lateral movement into the operating system, you are contributing to the tools that professional hackers have at their disposal. Don't be a tool. + +This is why we have taken every opportunity to help you secure your application, prevent undesired access to system-level interfaces, and manufacture bullet-proof applications. Your users assume you are following best practices. We make that easy, but you should still be aware of the information below. + +## Security Is A Community Responsibility + +It is important to remember that the security of your Tauri application is the sum of the overall security of Tauri itself, all Rust and npm dependencies, your code, and the devices that run the final application. The Tauri Team does their best to do their part, the security community does its part, and you too should follow a few important best practices. + +### Keep Your Application Up-To-Date + +When releasing your app into the wild, you are also shipping a bundle that has Tauri in it. Vulnerabilities affecting Tauri may impact the security of your application. By updating Tauri to the latest version, you ensure that critical vulnerabilities are already patched and cannot be exploited in your application. Also be sure to keep your compiler (rustc) and transpilers (nodejs) up to date, because there are often security issues that are resolved. + +### Evaluate Your Dependencies + +While npm and Crates.io provide many convenient packages, it is your responsibility to choose trustworthy third-party libraries - or rewrite them in Rust. If you do use outdated libraries which are affected by known vulnerabilities or are unmaintained, your application security and good night's sleep could be in jeopardy. Use tooling like npm audit and cargo audit to automate this process, and lean on the security community's important work. + +### Adopt More Secure Coding Practices + +The first line of defense for your application is your own code. Although Tauri can protect you from common web vulnerabilities, such as Cross-Site Scripting based Remote Code Execution, improper configurations can have a security impact. Even if this were not the case, it is highly recommended to adopt secure software development best practices and perform security testing. We detail what this means in the next section. + +### Educate Your Users + +True security means that unexpected behavior cannot happen. So in a sense, being more secure means having the peace of mind of knowing that ONLY those things that you want to happen can happen. In the real world, though, this is a utopian "dream". However, by removing as many vectors as possible and building on a solid foundation, your choice of Tauri is a signal to your users that you care about them, their safety, and their devices. + +## Threat Models + +Tauri applications are composed of many pieces at different points of the lifecycle. Here we describe classical threats and what you SHOULD do about them. + +### Upstream Threats + +Tauri is a direct dependency on your project, and we maintain strict authorial control of commits, reviews, pull requests, and releases. We do our best to maintain up-to-date dependencies and take action to either update or fork and fix. Other projects may not be so well maintained, and may not even have ever been audited. Please consider their health when integrating them, otherwise, you may have adopted architectural debt without even knowing it. + +### Development Threats + +We assume that you, the developer, care for your development environment. It is on you to make sure that your operating system, build toolchains, and associated dependencies are kept up to date. + +A genuine risk all of us face is what is known as "supply-chain attacks", which are usually considered to be attacks on direct dependencies of your project. However, a growing class of attacks in the wild directly target development machines, and you would be well off to address this head-on. + +One practice that we highly recommend, is to only ever consume critical dependencies from git using hash revisions at best or named tags as second best. This holds for Rust as well as the Node ecosystem. Also, consider requiring all contributors to sign their commits and protect Git branches and pipelines. + +### Buildtime Threats + +Modern organizations use CI/CD to manufacture binary artifacts. At Tauri, we even provide a GitHub Workflow for building on multiple platforms. If you create your own CI/CD and depend on third-party tooling, be wary of actions whose versions you have not explicitly pinned. + +You should sign your binaries for the platform you are shipping to, and while this can be complicated and somewhat costly to set up, end users expect that your app is verifiably from you. + +### Runtime Threats + +We assume the webview is insecure, which has led Tauri to implement several protections regarding webview access to system APIs in the context of loading untrusted userland content. + +You can read more in detail below, but using the CSP will lockdown types of communication that the Webview can undertake. Furthermore, Context Isolation prevents untrusted content or scripts from accessing the API within the Webview. + +And please, whatever you do, **DO NOT** trust the results of cryptography using private keys in the Webview. Rust is there for a reason. + +### Updater Threats + +We have done our best to make shipping hot updates to the app as straightforward and secure as possible. However, all bets are off if you lose control of the manifest server, the build server, or the binary hosting service. If you build your own system, consult a professional OPS architect and build it properly. + +## Secure Content Loading + +Tauri restricts the [Content Security Policy] (CSP) of your HTML pages. Local scripts are hashed, styles and external scripts are referenced using a cryptographic nonce, which prevents unallowed content from being loaded. + +:::warning +Avoid loading remote content such as scripts served over a CDN as they introduce an attack vector. But any untrusted file can introduce new and subtle attack vectors. +::: + +The CSP protection is only enabled if `[tauri > security > csp]` is set on the Tauri configuration file. You should make it as restricted as possible, only allowing the webview to load assets from hosts you trust, and preferably own. At compile time, Tauri appends its nonces and hashes to the relevant CSP attributes automatically, so you only need to worry about what is unique to your application. + +See [`script-src`], [`style-src`] and [CSP Sources] for more +information about this protection. + +[content security policy]: https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP +[`script-src`]: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src +[`style-src`]: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/style-src +[csp sources]: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources#sources diff --git a/src/content/docs/concepts/index.mdx b/src/content/docs/concepts/index.mdx index 92239bf726..ed605bb9af 100644 --- a/src/content/docs/concepts/index.mdx +++ b/src/content/docs/concepts/index.mdx @@ -13,6 +13,17 @@ SPAs, SSG, etc. import { CardGrid, LinkCard } from '@astrojs/starlight/components'; + + + + + diff --git a/src/content/docs/concepts/inter-process-communication/brownfield.md b/src/content/docs/concepts/inter-process-communication/brownfield.md new file mode 100644 index 0000000000..fcc4411449 --- /dev/null +++ b/src/content/docs/concepts/inter-process-communication/brownfield.md @@ -0,0 +1,46 @@ +--- +title: Brownfield Pattern +--- + +_**This is the default pattern.**_ + +This is the simplest and most straightforward pattern to use Tauri with, because it tries to be as compatible as possible with +existing frontend projects. In short, it tries to require nothing additional to what an existing web +frontend might use inside a browser. Not _**everything**_ that works in existing browser applications will work out-of-the-box; see the [Incompatibility section](#incompatibilities) for more details. + +If you are unfamiliar with Brownfield software development in general, the [Brownfield Wikipedia article] +provides a nice summary. For Tauri, the existing software is current browser support and behavior, instead of +legacy systems. + +## Incompatibilities + +The first incompatibility category is simple: any browser-specific APIs will not work properly inside Tauri (even while +using the Brownfield pattern). If the API is not widely supported across browsers, it probably won't be supported +across all platforms while using Tauri. + +The second incompatibility category is features that are planned for Tauri, but are currently not fully implemented. Here +is a list of examples: + +- [WebRTC support on Linux](https://github.com/tauri-apps/wry/issues/85) +- [Some permissions APIs](https://github.com/tauri-apps/wry/issues/81) +- [Download Links/Blob as URL](https://github.com/tauri-apps/wry/issues/349) +- [Better i18n](https://github.com/tauri-apps/wry/issues/442) + +## Configuration + +Because the Brownfield pattern is the default pattern, it doesn't require a configuration option to be set. To explicitly set +it, you can use the `tauri > pattern` object in the `tauri.conf.json` configuration file. + +```json +{ + "tauri": { + "pattern": { + "use": "brownfield" + } + } +} +``` + +_**There are no additional configuration options for the brownfield pattern.**_ + +[brownfield wikipedia article]: https://en.wikipedia.org/wiki/Brownfield_(software_development) diff --git a/src/content/docs/concepts/inter-process-communication/index.mdx b/src/content/docs/concepts/inter-process-communication/index.mdx new file mode 100644 index 0000000000..c094854990 --- /dev/null +++ b/src/content/docs/concepts/inter-process-communication/index.mdx @@ -0,0 +1,56 @@ +--- +title: Inter-Process Communication +--- + +import { CardGrid, LinkCard } from '@astrojs/starlight/components'; + +Inter-Process Communication (IPC) allows isolated processes to communicate securely and is key to building more complex applications. + +Learn more above the specific IPC patterns in the following guides: + + + + + + +Tauri uses a particular style of Inter-Process Communication called [Asynchronous Message Passing], where processes exchange _requests_ and _responses_ serialized using some simple data representation. Message Passing should sound familiar to anyone with web development experience, as this paradigm is used for client-server communication on the internet. + +Message passing is a safer technique than shared memory or direct function access because the recipient is free to reject or discard requests as it sees fit. For example, if the Tauri Core process determines a request to be malicious, it simply discards the requests and never executes the corresponding function. + +In the following, we explain Tauri's two IPC primitives - `Events` and `Commands` - in more detail. + +## Events + +Events are fire-and-forget, one-way IPC messages that are best suited to communicate lifecycle events and state changes. Unlike [Commands](#commands), Events can be emitted by both the Frontend _and_ the Tauri Core. + +
+ +![IPC Diagram](../../../../assets/concepts/events.svg) + +
Figure 1-2: An event sent from the Core to the Frontend.
+
+ +## Commands + +Tauri also provides a [foreign function interface]-like abstraction on top of IPC messages[^1]. The primary API, `invoke`, is similar to the browser's `fetch` API and allows the Frontend to invoke Rust functions, pass arguments, and receive data. + +Because this mechanism uses a [JSON-RPC] like protocol under the hood to serialize requests and responses, all arguments and return data must be serializable to JSON. + +
+ +![IPC Diagram](../../../../assets/concepts/commands.svg) + +
Figure 1-3: IPC messages involved in a command invocation.
+
+ +[^1]: Because Commands still use message passing under the hood, they do not share the same security pitfalls as real FFI interfaces do. + +[asynchronous message passing]: https://en.wikipedia.org/wiki/Message_passing#Asynchronous_message_passing +[json-rpc]: https://www.jsonrpc.org +[foreign function interface]: https://en.wikipedia.org/wiki/Foreign_function_interface diff --git a/src/content/docs/concepts/inter-process-communication/isolation.md b/src/content/docs/concepts/inter-process-communication/isolation.md new file mode 100644 index 0000000000..38fca1fbf0 --- /dev/null +++ b/src/content/docs/concepts/inter-process-communication/isolation.md @@ -0,0 +1,112 @@ +--- +title: Isolation Pattern +--- + +The Isolation pattern is a way to intercept and modify Tauri API messages sent by the frontend before they get to Tauri Core, all with JavaScript. The secure JavaScript code that is injected by the Isolation pattern is referred to as the Isolation application. + +## Why + +The Isolation pattern's purpose is to provide a mechanism for developers to help protect their application from unwanted or malicious frontend calls to Tauri Core. The need for the Isolation pattern rose out of threats coming from untrusted content running on the frontend, a common case for applications with many dependencies. See [Security: Threat Models] for a list of many sources of threats that an application may see. + +The largest threat model described above that the Isolation pattern was designed in mind was Development Threats. Not only do many frontend build-time tools consist of many dozen (or hundreds) of often deeply-nested dependencies, but a complex application may also have a large amount of (also often deeply-nested) dependencies that are bundled into the final output. + +## When + +Tauri highly recommends using the isolation pattern whenever it can be used. Because the Isolation application intercepts _**all**_ messages from the frontend, it can _always_ be used. + +Tauri also strongly suggests locking down your application whenever you use external Tauri APIs. As the developer, you can utilize the secure Isolation application to try and verify IPC inputs, to make sure they are within some expected parameters. For example, you may want to check that a call to read or write a file is not trying to access a path outside your application's expected locations. Another example is making sure that a Tauri API HTTP fetch call is only setting the Origin header to what your application expects it to be. + +That said, it intercepts _**all**_ messages from the frontend, so it will even work with always-on APIs such as [Events]. Since some events may cause your own rust code to perform actions, the same sort of validation techniques can be used with them. + +## How + +The Isolation pattern is all about injecting a secure application in between your frontend and Tauri Core to intercept and modify incoming IPC messages. It does this by using the sandboxing feature of `