fix(core): change default freezePrototype to false, closes #3416 #3406 (#3423)

2026-04-01 10:01:07 +02:00 · 2022-02-12 10:28:05 -03:00
parent c01036043d
commit 3a4c016061
5 changed files with 15 additions and 22 deletions
--- a/.changes/fix-default-freeze-prototype.md
+++ b/.changes/fix-default-freeze-prototype.md
@@ -0,0 +1,6 @@
+---
+"tauri": patch
+"tauri-utils": patch
+---
+
+Change default value for the `freezePrototype` configuration to `false`.
--- a/core/tauri-codegen/src/embedded_assets.rs
+++ b/core/tauri-codegen/src/embedded_assets.rs
@@ -192,7 +192,7 @@ impl AssetOptions {
    Self {
      csp: false,
      pattern,
-      freeze_prototype: true,
+      freeze_prototype: false,
      #[cfg(feature = "isolation")]
      isolation_schema: format!("isolation-{}", uuid::Uuid::new_v4()),
    }
--- a/core/tauri-utils/src/config.rs
+++ b/core/tauri-utils/src/config.rs
@@ -573,7 +573,7 @@ fn default_file_drop_enabled() -> bool {

 /// Security configuration.
 #[skip_serializing_none]
-#[derive(Debug, PartialEq, Clone, Deserialize, Serialize)]
+#[derive(Debug, Default, PartialEq, Clone, Deserialize, Serialize)]
 #[cfg_attr(feature = "schema", derive(JsonSchema))]
 #[serde(rename_all = "camelCase", deny_unknown_fields)]
 pub struct SecurityConfig {
@@ -589,24 +589,10 @@ pub struct SecurityConfig {
  /// See <https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP>.
  pub dev_csp: Option<String>,
  /// Freeze the `Object.prototype` when using the custom protocol.
-  #[serde(default = "default_freeze_prototype")]
+  #[serde(default)]
  pub freeze_prototype: bool,
 }

-impl Default for SecurityConfig {
-  fn default() -> Self {
-    Self {
-      csp: None,
-      dev_csp: None,
-      freeze_prototype: default_freeze_prototype(),
-    }
-  }
-}
-
-fn default_freeze_prototype() -> bool {
-  true
-}
-
 /// Defines an allowlist type.
 pub trait Allowlist {
  /// Returns all features associated with the allowlist struct.
@@ -2558,7 +2544,7 @@ mod test {
      security: SecurityConfig {
        csp: None,
        dev_csp: None,
-        freeze_prototype: true,
+        freeze_prototype: false,
      },
      allowlist: AllowlistConfig::default(),
      system_tray: None,
--- a/examples/api/src-tauri/tauri.conf.json
+++ b/examples/api/src-tauri/tauri.conf.json
@@ -116,7 +116,8 @@
      }
    ],
    "security": {
-      "csp": "default-src 'self' customprotocol: img-src: 'self'; style-src 'unsafe-inline' 'self' https://fonts.googleapis.com; img-src 'self' asset: https://asset.localhost blob: data:; font-src https://fonts.gstatic.com"
+      "csp": "default-src 'self' customprotocol: img-src: 'self'; style-src 'unsafe-inline' 'self' https://fonts.googleapis.com; img-src 'self' asset: https://asset.localhost blob: data:; font-src https://fonts.gstatic.com",
+      "freezePrototype": true
    },
    "systemTray": {
      "iconPath": "../../.icons/tray_icon_with_transparency.png",
--- a/tooling/cli/schema.json
+++ b/tooling/cli/schema.json
@@ -155,7 +155,7 @@
          "use": "brownfield"
        },
        "security": {
-          "freezePrototype": true
+          "freezePrototype": false
        },
        "updater": {
          "active": false,
@@ -1294,7 +1294,7 @@
        },
        "freezePrototype": {
          "description": "Freeze the `Object.prototype` when using the custom protocol.",
-          "default": true,
+          "default": false,
          "type": "boolean"
        }
      },
@@ -1609,7 +1609,7 @@
        "security": {
          "description": "Security configuration.",
          "default": {
-            "freezePrototype": true
+            "freezePrototype": false
          },
          "allOf": [
            {