Access Control List
Each Tauri command exposes a Rust function that can perform arbitrary actions using operating system APIs to the JavaScript layer, which is sandboxed by default using Web standards. This introduces a risk to your application if an attacker can perform code execution accessing Tauri commands.
To mitigate this, Tauri uses an Access Control List (ACL) to restrict access of plugin commands. By default all plugin commands are blocked and cannot be accessed. To enable access to the commands your application needs, you must define a list of permissions you need access.
A capability groups a collection of permissions with an associated list of windows so you can configure access control on single and multi window applications.
You define capabilities as either a JSON or a TOML file inside the src-tauri/capabilities
directory.
The following JSON defines a capability that enables default functionality for core plugins and the window.setTitle
API.
Capabilities can be platform-specific by defining the platforms
array.
By default the capability is applied to all targets,
but you can select a subset of the linux
, macOS
, windows
, iOS
and android
targets.
For example, let’s define a capability for desktop. Note it enables permissions on plugins that are only available on desktop:
And define a capability for mobile. Note it enables permissions on plugins that are only available on mobile:
Tauri generates a JSON schema with all the permissions that are available to your application so you have autocompletion in your IDE.
To use the schema, set the $schema
property to one of the schemas inside the capabilities/schemas
directory, which are platform-specific.
Usually you will set it to ../gen/schemas/desktop-schema.json
or ../gen/schemas/mobile-schema.json
though you can also define a capability for a specific target platform.
In the example above we defined specific capabilities for desktop and mobile, and referenced the associated JSON schema. Let’s define a capability only for Linux:
The windows
property defines the list of windows that should reference the list of permissions. You can use glob patterns to reference dynamic window labels.
The following example links the capability with the main
window and any window with label prefixed with editor-
.
Scopes further restrict the commands. Their format is plugin-specific, but Tauri offers primitives to allow and deny certain actions of the command, usually restricting command input.
For instance, the fs
plugin allows you to use scopes to allow or deny certain directories and files, and the http
plugin uses scopes to filter URLs that are allowed to be reached.
Let’s study some examples for official plugins:
- allow any
fs
command to access the app data directory:
- allow the
fs
rename
command to access the home directory:
- configure scope for the
http
plugin:
By default each capability only applies to your application’s embedded content (either your devUrl
or frontendDist
frontend).
If you want to allow a remote URL to access Tauri commands (which is dangerous and should be configured carefully), you can use the context
property.
In the following example, we associate the capability with any tauri.app
subdomain:
© 2024 Tauri Contributors. CC-BY / MIT