tauri-apps · vasfvitor · Oct 11, 2024 · Jul 22, 2024 · Aug 20, 2024 · Oct 11, 2024
@@ -750,6 +750,7 @@ Type: `object`
 | <div className="anchor-with-padding" id="securityconfig.freezeprototype">`freezePrototype`<a class="hash-link" href="#securityconfig.freezeprototype"></a></div> | `boolean` | `false` | Freeze the `Object.prototype` when using the custom protocol. |
 | <div className="anchor-with-padding" id="securityconfig.dangerousdisableassetcspmodification">`dangerousDisableAssetCspModification`<a class="hash-link" href="#securityconfig.dangerousdisableassetcspmodification"></a></div> | [`DisabledCspModificationKind`](#disabledcspmodificationkind) | `false` | Disables the Tauri-injected CSP sources.<br /><br />At compile time, Tauri parses all the frontend assets and changes the Content-Security-Policy to only allow loading of your own scripts and styles by injecting nonce and hash sources. This stricts your CSP, which may introduce issues when using along with other flexing sources.<br /><br />This configuration option allows both a boolean and a list of strings as value. A boolean instructs Tauri to disable the injection for all CSP injections, and a list of strings indicates the CSP directives that Tauri cannot inject.<br /><br />**WARNING:** Only disable this if you know what you are doing and have properly configured the CSP. Your application might be vulnerable to XSS attacks without this Tauri protection. |
 | <div className="anchor-with-padding" id="securityconfig.dangerousremotedomainipcaccess">`dangerousRemoteDomainIpcAccess`<a class="hash-link" href="#securityconfig.dangerousremotedomainipcaccess"></a></div> | [`RemoteDomainAccessScope[]`](#remotedomainaccessscope) | [] | Allow external domains to send command to Tauri.<br /><br />By default, external domains do not have access to `window.__TAURI__`, which means they cannot communicate with the commands defined in Rust. This prevents attacks where an externally loaded malicious or compromised sites could start executing commands on the user's device.<br /><br />This configuration allows a set of external domains to have access to the Tauri commands. When you configure a domain to be allowed to access the IPC, all subpaths are allowed. Subdomains are not allowed.<br /><br />**WARNING:** Only use this option if you either have internal checks against malicious external sites or you can trust the allowed external sites. You application might be vulnerable to dangerous Tauri command related attacks otherwise. |
+| <div className="anchor-with-padding" id="securityconfig.dangeroususehttpscheme">`dangerousUseHttpScheme`<a class="hash-link" href="#securityconfig.dangeroususehttpscheme"></a></div> | boolean | `false` | Sets whether the custom protocols should use `http://<scheme>.localhost` instead of the default `https://<scheme>.localhost` on Windows.<br /><br />**WARNING:** Using a `http` scheme will allow mixed content when trying to fetch `http` endpoints and is therefore less secure but will match the behavior of the `<scheme>://localhost` protocols used on macOS and Linux. |
 
 
 #### Csp