Desktop: Fix "insecure content security policy" warning (#13288)

Co-authored-by: Laurent Cozic <laurent22@users.noreply.github.com>

.yarn/patches/depd-npm-1.1.2-b0c8414da7.patch

@@ -0,0 +1,36 @@
+# Patch to remove eval. This allows using depd in an environment with
+# a strict Content-Security-Policy.
+# Ref: https://github.com/dougwilson/nodejs-depd/pull/33
+diff --git a/index.js b/index.js
+index d758d3c8f58a60bf27ef377ad77639bf10ce7854..2bad40d4eeba553d3bcfb206873eac059067ae3b 100644
+--- a/index.js
++++ b/index.js
+@@ -399,19 +399,20 @@ function wrapfunction (fn, message) {
+     throw new TypeError('argument fn must be a function')
+   }
+ 
+-  var args = createArgumentsString(fn.length)
+-  var deprecate = this // eslint-disable-line no-unused-vars
+   var stack = getStack()
+   var site = callSiteLocation(stack[1])
+ 
+   site.name = fn.name
+ 
+-   // eslint-disable-next-line no-eval
+-  var deprecatedfn = eval('(function (' + args + ') {\n' +
+-    '"use strict"\n' +
+-    'log.call(deprecate, message, site)\n' +
+-    'return fn.apply(this, arguments)\n' +
+-    '})')
++  var deprecatedfn
++  var self = this
++  deprecatedfn = function () {
++    'use strict'
++    log.call(self, message, site)
++    return fn.apply(this, arguments)
++  }
++  Object.defineProperty(deprecatedfn, 'length', { value: fn.length })
++  Object.defineProperty(deprecatedfn, 'name', { value: fn.name })
+ 
+   return deprecatedfn
+ }

.yarn/patches/depd-npm-2.0.0-b6c51a4b43.patch

@@ -0,0 +1,35 @@
+# Patch to remove eval. This allows using depd in an environment with
+# a strict Content-Security-Policy.
+# Ref: https://github.com/dougwilson/nodejs-depd/pull/33
+diff --git a/index.js b/index.js
+index 1bf2fcfdeffc984e5ad792eec08744c29d4a4590..1b24aa2414458bc651abfdded81b103c131efeaa 100644
+--- a/index.js
++++ b/index.js
+@@ -415,19 +415,19 @@ function wrapfunction (fn, message) {
+     throw new TypeError('argument fn must be a function')
+   }
+ 
+-  var args = createArgumentsString(fn.length)
+   var stack = getStack()
+   var site = callSiteLocation(stack[1])
+ 
+   site.name = fn.name
+ 
+-  // eslint-disable-next-line no-new-func
+-  var deprecatedfn = new Function('fn', 'log', 'deprecate', 'message', 'site',
+-    '"use strict"\n' +
+-    'return function (' + args + ') {' +
+-    'log.call(deprecate, message, site)\n' +
+-    'return fn.apply(this, arguments)\n' +
+-    '}')(fn, log, this, message, site)
++  var self = this
++  var deprecatedfn = function () {
++    'use strict'
++    log.call(self, message, site)
++    return fn.apply(this, arguments)
++  }
++  Object.defineProperty(deprecatedfn, 'length', { value: fn.length })
++  Object.defineProperty(deprecatedfn, 'name', { value: fn.name })
+ 
+   return deprecatedfn
+ }

package.json

@@ -117,6 +117,12 @@
     "pdfjs-dist@*": "patch:pdfjs-dist@npm%3A3.11.174#./.yarn/patches/pdfjs-dist-npm-3.11.174-67f2fee6d6.patch",
     "pdfjs-dist@3.11.174": "patch:pdfjs-dist@npm%3A3.11.174#./.yarn/patches/pdfjs-dist-npm-3.11.174-67f2fee6d6.patch",
     "canvas@npm:^2.11.2": "link:./.yarn/joplin-empty-package/",
-    "node-gyp@npm:^9.0.0": "11.2.0"
+    "node-gyp@npm:^9.0.0": "11.2.0",
+    "depd@npm:^2.0.0": "patch:depd@npm%3A2.0.0#~/.yarn/patches/depd-npm-2.0.0-b6c51a4b43.patch",
+    "depd@npm:~2.0.0": "patch:depd@npm%3A2.0.0#~/.yarn/patches/depd-npm-2.0.0-b6c51a4b43.patch",
+    "depd@npm:~1.1.2": "patch:depd@npm%3A2.0.0#~/.yarn/patches/depd-npm-2.0.0-b6c51a4b43.patch",
+    "depd@npm:2.0.0": "patch:depd@npm%3A2.0.0#~/.yarn/patches/depd-npm-2.0.0-b6c51a4b43.patch",
+    "depd@npm:^1.1.2": "patch:depd@npm%3A2.0.0#~/.yarn/patches/depd-npm-2.0.0-b6c51a4b43.patch",
+    "depd@npm:^1.1.0": "patch:depd@npm%3A2.0.0#~/.yarn/patches/depd-npm-2.0.0-b6c51a4b43.patch"
   }
 }

packages/app-desktop/index.html

@@ -2,11 +2,19 @@
 <html>
 	<head>
 		<meta charset="UTF-8">
-		<!--
-		No CPS because we need to allow everything due to some dependencies (eg. depd, which comes from maybe Node or Electron
-		uses 'eval'.
-		<meta http-equiv="Content-Security-Policy" content="default-src 'self' 'unsafe-inline' 'unsafe-eval'">
-		-->
+		<meta
+			http-equiv="Content-Security-Policy"
+			content="
+				default-src 'self' joplin-content://* ;
+				connect-src 'self' * http://* https://* joplin-content://* blob: ;
+				style-src 'unsafe-inline' 'self' blob: joplin-content://* https://* http://* ;
+				child-src 'self' joplin-content://* ;
+				script-src 'self' 'unsafe-inline' joplin-content://* ;
+				media-src 'self' * blob: data: https://* http://* joplin-content://* ;
+				img-src 'self' blob: data: http://* https://* joplin-content://* ;
+				font-src 'self' http://* https://* blob: data: joplin-content://* ;
+			"
+		/>
 		<title>Joplin</title>
 		<!-- Note: Add new dynamic CSS imports to style.scss to allow them to be included in secondary windows. -->
 		<link rel="stylesheet" href="style.min.css">

yarn.lock

@@ -23134,17 +23134,17 @@ __metadata:
   languageName: node
   linkType: hard
 
-"depd@npm:2.0.0, depd@npm:^2.0.0, depd@npm:~2.0.0":
+"depd@npm:2.0.0":
   version: 2.0.0
   resolution: "depd@npm:2.0.0"
   checksum: 10/c0c8ff36079ce5ada64f46cc9d6fd47ebcf38241105b6e0c98f412e8ad91f084bcf906ff644cc3a4bd876ca27a62accb8b0fff72ea6ed1a414b89d8506f4a5ca
   languageName: node
   linkType: hard
 
-"depd@npm:^1.1.0, depd@npm:^1.1.2, depd@npm:~1.1.2":
-  version: 1.1.2
-  resolution: "depd@npm:1.1.2"
-  checksum: 10/2ed6966fc14463a9e85451db330ab8ba041efed0b9a1a472dbfc6fbf2f82bab66491915f996b25d8517dddc36c8c74e24c30879b34877f3c4410733444a51d1d
+"depd@patch:depd@npm%3A2.0.0#~/.yarn/patches/depd-npm-2.0.0-b6c51a4b43.patch":
+  version: 2.0.0
+  resolution: "depd@patch:depd@npm%3A2.0.0#~/.yarn/patches/depd-npm-2.0.0-b6c51a4b43.patch::version=2.0.0&hash=c7e579"
+  checksum: 10/9f0be454908bcf019999d2c82f087a6b4e4fb5f31f2197d3c278ab3ba0b245e1172fd7f2f291940e79c59dfdccc590ad306bc8731fe68255544046263c3d2306
   languageName: node
   linkType: hard