import { session } from 'electron';

// 设置内容安全策略（CSP），防止 XSS 攻击
export function setContentSecurityPolicy(isDev) {
  session.defaultSession.webRequest.onHeadersReceived((details, callback) => {
    const csp = isDev
      ? "default-src 'self'; script-src 'self' 'unsafe-inline' http://localhost:*; style-src 'self' 'unsafe-inline'; connect-src 'self' http://localhost:* ws://localhost:* https://ai-anim.com; img-src 'self' data: https: blob:; font-src 'self' data:; worker-src 'self' blob:;"
      : "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; connect-src 'self' https://ai-anim.com; img-src 'self' data: https:; font-src 'self' data:;";
    
    const responseHeaders = Object.assign({}, details.responseHeaders);
    responseHeaders['Content-Security-Policy'] = [csp];
    
    callback({ responseHeaders });
  });
}