tutanota/buildSrc/LaunchHtml.js

global.window = undefined

function getCspUrls(env) {
	// we want to have the following allowed connect-src for a given staticUrl like https://app(.local/.test).tuta.com:
	//
	// wss://app(.local/.test).tuta.com for websocket
	// http(s)://*.api(.local/.test).tuta.com for the web app
	// api://app(.local/.test).tuta.com for the mobile apps api protocol (intercepted by native part)
	// https://app(.local/.test).tuta.com for the staticUrl itself
	// https://(local./test.)tuta.com for the website
	if (env.staticUrl) {
		const url = new URL(env.staticUrl)
		const staticUrlParts = env.staticUrl.split("//")
		const apiUrl = staticUrlParts[0] + "//*.api." + staticUrlParts[1]
		const webSocketUrl = `ws${env.staticUrl.substring(4)}`
		const appApiUrl = `${env.staticUrl.replace(/^https?/, "api")}`
		const websiteUrl = env.domainConfigs[url.hostname]?.websiteBaseUrl ?? "https://tuta.com"
		return `${env.staticUrl} ${webSocketUrl} ${apiUrl} ${appApiUrl} ${websiteUrl}`
	} else {
		return ""
	}
}

/**
 * Renders the initial HTML page to bootstrap Tutanota for different environments
 */
export async function renderHtml(scripts, env) {
	return `<!DOCTYPE html>
<html>
<head>
	<meta charset="utf-8">
	${csp(env)}
	<meta name="apple-mobile-web-app-capable" content="yes">
	<meta name="mobile-web-app-capable" content="yes">
	<meta name="referrer" content="no-referrer">
	<meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=1.0, user-scalable=no, viewport-fit=cover">
	${scripts.map(renderScriptImport).join("\n\t")}
	<!-- TutanotaTags -->
	<title>${env.mode === "App" || env.mode === "Desktop" ? "Tuta Mail" : "Tuta Mail: Login &amp; Sign up for free"}</title>
	<meta name="description" content="Sign-up for Tuta Mail: Get a free email account with quantum-safe encryption and best privacy for all your emails, calendars and contacts.">
	<meta name="application-name" content="Tuta Mail">
	<link rel="apple-touch-icon" href="images/apple-touch-icon.png">
	<link rel="icon" sizes="192x192" href="/images/logo-favicon-192.png">
    <meta name="twitter:card" content="summary_large_image">
    <meta name="twitter:site" content="@TutaPrivacy">
    <meta name="twitter:domain" content="tuta.com">
    <meta name="twitter:image" content="https://tuta.com/resources/images/share-tutanota-twitter-thumbnail.png">
    <meta property="og:type" content="website">
    <meta property="og:site_name" content="Tuta Mail">
    <meta property="og:title" content="Turn ON Privacy">
    <meta property="og:description"
          content="Get a free email account with quantum-safe encryption and best privacy on all your devices. Green, secure &amp; no ads!">
    <meta property="og:locale" content="en">
    <meta property="og:url" content="https://tuta.com/">
    <meta property="og:image" content="https://tuta.com/resources/images/share-tutanota-fb-thumbnail.png">
    <meta property="article:publisher" content="https://www.facebook.com/tutanota">
	<meta itemprop="name" content="Turn ON Privacy">
	<meta itemprop="description" content="Get a free email account with quantum-safe encryption and best privacy on all your devices. Green, secure &amp; no ads!">
	<meta itemprop="image" content="https://tuta.com/images/share_image.png">
	<meta name="apple-itunes-app" content="app-id=922429609, app-argument=https://app.tuta.com">
	<link rel="canonical" href="https://app.tuta.com/">
</head>
<body style="background-color:transparent">
<noscript>This site requires javascript to be enabled. Please activate it in the settings of your browser.</noscript>
</body>
</html>`
}

function csp(env) {
	if (env.dist) {
		if (env.mode === "App" || env.mode === "Desktop") {
			// differences in comparison to web csp:
			// * Content Security Policies delivered via a <meta> element may not contain the frame-ancestors directive.
			const cspContent =
				"default-src 'none';" +
				" script-src 'self' 'wasm-unsafe-eval';" +
				" worker-src 'self';" +
				" frame-src 'none';" +
				" font-src 'self';" +
				" img-src http: blob: data: *;" +
				" media-src blob: data: *;" +
				" style-src 'unsafe-inline';" +
				"base-uri 'none';" +
				` connect-src 'self' ${getCspUrls(env)};`

			return `<meta http-equiv="Content-Security-Policy" content="${cspContent}">`
		} else {
			//  csp is in the response headers
			return ""
		}
	} else {
		const cspContent =
			"default-src * 'unsafe-inline';" +
			" script-src * 'unsafe-inline' 'wasm-unsafe-eval';" +
			" img-src * data: blob: 'unsafe-inline';" +
			" media-src * data: blob: 'unsafe-inline';" +
			" style-src * 'unsafe-inline';" +
			" frame-src *;" +
			` connect-src *;`

		return `<meta http-equiv="Content-Security-Policy" content="${cspContent}">`
	}
}

function renderScriptImport({ src, type }) {
	const typeString = type ? ` type="${type}"` : ""
	return `<script src="${src}"${typeString} defer></script>`
}
imported new tutanota client 2017-08-15 13:54:22 +02:00			`global.window = undefined`

[android] intercept api and asset requests #pi41 Co-authored-by: ivk <ivk@tutao.de> 2022-07-15 10:01:02 +02:00			`function getCspUrls(env) {`
change tutanota.com references to tuta.com of the correct staging level this includes csp for the app html, the support entries and policy docs #5929 2023-10-19 16:26:43 +02:00			`// we want to have the following allowed connect-src for a given staticUrl like https://app(.local/.test).tuta.com:`
			`//`
			`// wss://app(.local/.test).tuta.com for websocket`
			`// http(s)://*.api(.local/.test).tuta.com for the web app`
			`// api://app(.local/.test).tuta.com for the mobile apps api protocol (intercepted by native part)`
			`// https://app(.local/.test).tuta.com for the staticUrl itself`
			`// https://(local./test.)tuta.com for the website`
imported new tutanota client 2017-08-15 13:54:22 +02:00			`if (env.staticUrl) {`
changes after review #5929 2023-10-27 11:27:04 +02:00			`const url = new URL(env.staticUrl)`
fix csp for apps and DesktopClients 2022-04-20 11:00:52 +02:00			`const staticUrlParts = env.staticUrl.split("//")`
			`const apiUrl = staticUrlParts[0] + "//*.api." + staticUrlParts[1]`
change tutanota.com references to tuta.com of the correct staging level this includes csp for the app html, the support entries and policy docs #5929 2023-10-19 16:26:43 +02:00			const webSocketUrl = `ws${env.staticUrl.substring(4)}`
			const appApiUrl = `${env.staticUrl.replace(/^https?/, "api")}`
changes after review #5929 2023-10-27 11:27:04 +02:00			`const websiteUrl = env.domainConfigs[url.hostname]?.websiteBaseUrl ?? "https://tuta.com"`
change tutanota.com references to tuta.com of the correct staging level this includes csp for the app html, the support entries and policy docs #5929 2023-10-19 16:26:43 +02:00			return `${env.staticUrl} ${webSocketUrl} ${apiUrl} ${appApiUrl} ${websiteUrl}`
imported new tutanota client 2017-08-15 13:54:22 +02:00			`} else {`
			`return ""`
			`}`
			`}`

			`/**`
			`* Renders the initial HTML page to bootstrap Tutanota for different environments`
			`*/`
Use Rollup & Nollup for build 2019-09-13 13:49:11 +02:00			`export async function renderHtml(scripts, env) {`
[build] Fixes for admin client 1. Change getVersion() in nativeLibraryProvider to handle curious `npm list` behavior. 2. Reorganize rollup plugins so that admin client can import our helper plugins without importing rollup plugins from node_modules. This makes it more resilient when we link against local tutanota-3 (libs hoisted to upper level will not be found across the symlink). 3. Change LaunchHtml to not rely on mithril for the same reason. 2022-03-02 13:49:49 +01:00			return `<!DOCTYPE html>
			`<html>`
			`<head>`
			`<meta charset="utf-8">`
			`${csp(env)}`
			`<meta name="apple-mobile-web-app-capable" content="yes">`
			`<meta name="mobile-web-app-capable" content="yes">`
			`<meta name="referrer" content="no-referrer">`
			`<meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=1.0, user-scalable=no, viewport-fit=cover">`
fix index.html generator, fix #3964 * `csp` returns null when in dist+Browser mode, which was ok when we rendered index.html, but isn't anymore when we use a template string * the generator for the script tags was also broken, with mismatched double quotes and rogue commas 2022-03-14 17:52:03 +01:00			`${scripts.map(renderScriptImport).join("\n\t")}`
[build] Fixes for admin client 1. Change getVersion() in nativeLibraryProvider to handle curious `npm list` behavior. 2. Reorganize rollup plugins so that admin client can import our helper plugins without importing rollup plugins from node_modules. This makes it more resilient when we link against local tutanota-3 (libs hoisted to upper level will not be found across the symlink). 3. Change LaunchHtml to not rely on mithril for the same reason. 2022-03-02 13:49:49 +01:00			`<!-- TutanotaTags -->`
Include Desktop in title tag check Close #8283 2025-01-16 14:54:23 +01:00			`<title>${env.mode === "App" \|\| env.mode === "Desktop" ? "Tuta Mail" : "Tuta Mail: Login & Sign up for free"}</title>`
Update title & description 2024-10-28 11:35:18 +01:00			`<meta name="description" content="Sign-up for Tuta Mail: Get a free email account with quantum-safe encryption and best privacy for all your emails, calendars and contacts.">`
Change application name, #5960 2023-11-03 17:01:47 +01:00			`<meta name="application-name" content="Tuta Mail">`
v271.250220.0 - monitor model v31 - Added rating dialog for android using the multipage dialog (Closes #8530) - Updated images within the rating dialog - Adjusted rating prompt interval to be occurring more often - Added usage tests for ratings - Now the native mobile navigation gestures are used within the rating dialog to be interpreted as "Not now" or "Maybe later" button clicks - Refined support dialog (Closes #8458) - Updated app icons for Android/iOS/Desktop (Closes #8503) - Replaced F-Droid app icons, feature graphic and screenshots - Updated favicons (Closes #8264) Co-authored-by: yoy <yoy@tutao.de> Co-authored-by: jug <jug@tutao.de> Co-authored-by: cag Co-authored-by: arm <arm@tutao.de> 2025-02-19 11:49:36 +01:00			`<link rel="apple-touch-icon" href="images/apple-touch-icon.png">`
[build] Fixes for admin client 1. Change getVersion() in nativeLibraryProvider to handle curious `npm list` behavior. 2. Reorganize rollup plugins so that admin client can import our helper plugins without importing rollup plugins from node_modules. This makes it more resilient when we link against local tutanota-3 (libs hoisted to upper level will not be found across the symlink). 3. Change LaunchHtml to not rely on mithril for the same reason. 2022-03-02 13:49:49 +01:00			`<link rel="icon" sizes="192x192" href="/images/logo-favicon-192.png">`
Update LaunchHtml to use new referral images tutadb#1433 2023-08-23 11:48:45 +02:00			`<meta name="twitter:card" content="summary_large_image">`
Change Tutanota to Tuta in translations, #6113 2023-11-09 14:04:10 +01:00			`<meta name="twitter:site" content="@TutaPrivacy">`
change tutanota.com references to tuta.com of the correct staging level this includes csp for the app html, the support entries and policy docs #5929 2023-10-19 16:26:43 +02:00			`<meta name="twitter:domain" content="tuta.com">`
			`<meta name="twitter:image" content="https://tuta.com/resources/images/share-tutanota-twitter-thumbnail.png">`
Update LaunchHtml to use new referral images tutadb#1433 2023-08-23 11:48:45 +02:00			`<meta property="og:type" content="website">`
Change application name, #5960 2023-11-03 17:01:47 +01:00			`<meta property="og:site_name" content="Tuta Mail">`
Update the SEO tags of the client Website issue 227. 2024-10-15 13:23:20 +02:00			`<meta property="og:title" content="Turn ON Privacy">`
Update LaunchHtml to use new referral images tutadb#1433 2023-08-23 11:48:45 +02:00			`<meta property="og:description"`
Update the SEO tags of the client Website issue 227. 2024-10-15 13:23:20 +02:00			`content="Get a free email account with quantum-safe encryption and best privacy on all your devices. Green, secure & no ads!">`
Update LaunchHtml to use new referral images tutadb#1433 2023-08-23 11:48:45 +02:00			`<meta property="og:locale" content="en">`
change tutanota.com references to tuta.com of the correct staging level this includes csp for the app html, the support entries and policy docs #5929 2023-10-19 16:26:43 +02:00			`<meta property="og:url" content="https://tuta.com/">`
			`<meta property="og:image" content="https://tuta.com/resources/images/share-tutanota-fb-thumbnail.png">`
Update LaunchHtml to use new referral images tutadb#1433 2023-08-23 11:48:45 +02:00			`<meta property="article:publisher" content="https://www.facebook.com/tutanota">`
Update the SEO tags of the client Website issue 227. 2024-10-15 13:23:20 +02:00			`<meta itemprop="name" content="Turn ON Privacy">`
			`<meta itemprop="description" content="Get a free email account with quantum-safe encryption and best privacy on all your devices. Green, secure & no ads!">`
change tutanota.com references to tuta.com of the correct staging level this includes csp for the app html, the support entries and policy docs #5929 2023-10-19 16:26:43 +02:00			`<meta itemprop="image" content="https://tuta.com/images/share_image.png">`
Fix iTunes meta tag 2024-11-25 08:44:08 +01:00			`<meta name="apple-itunes-app" content="app-id=922429609, app-argument=https://app.tuta.com">`
Add canonical link element for SEO #8260 2025-01-08 14:05:44 +01:00			`<link rel="canonical" href="https://app.tuta.com/">`
[build] Fixes for admin client 1. Change getVersion() in nativeLibraryProvider to handle curious `npm list` behavior. 2. Reorganize rollup plugins so that admin client can import our helper plugins without importing rollup plugins from node_modules. This makes it more resilient when we link against local tutanota-3 (libs hoisted to upper level will not be found across the symlink). 3. Change LaunchHtml to not rely on mithril for the same reason. 2022-03-02 13:49:49 +01:00			`</head>`
			`<body style="background-color:transparent">`
			`<noscript>This site requires javascript to be enabled. Please activate it in the settings of your browser.</noscript>`
			`</body>`
			</html>`
imported new tutanota client 2017-08-15 13:54:22 +02:00			`}`

[build] Fixes for admin client 1. Change getVersion() in nativeLibraryProvider to handle curious `npm list` behavior. 2. Reorganize rollup plugins so that admin client can import our helper plugins without importing rollup plugins from node_modules. This makes it more resilient when we link against local tutanota-3 (libs hoisted to upper level will not be found across the symlink). 3. Change LaunchHtml to not rely on mithril for the same reason. 2022-03-02 13:49:49 +01:00			`function csp(env) {`
Use Rollup & Nollup for build 2019-09-13 13:49:11 +02:00			`if (env.dist) {`
			`if (env.mode === "App" \|\| env.mode === "Desktop") {`
			`// differences in comparison to web csp:`
			`// * Content Security Policies delivered via a <meta> element may not contain the frame-ancestors directive.`
Run prettier on the whole project 2022-12-27 15:37:40 +01:00			`const cspContent =`
			`"default-src 'none';" +`
Support Argon2id Allow deriving keys with it if the server requests it, but do not use it by default to create new keys. tutadb#1559 Co-authored-by: @vitoreiji, @paw-hub, @charlag 2023-07-17 11:42:02 +02:00			`" script-src 'self' 'wasm-unsafe-eval';" +`
enable credentials migration from the old to the new domain two ways this can happen: * starting on old domain * starting on new domain in each case, the starting tab opens the other domain in a new tab to then use window.postMessage to transfer the credentials. 2023-09-27 17:22:36 +02:00			`" worker-src 'self';" +`
change tutanota.com references to tuta.com of the correct staging level this includes csp for the app html, the support entries and policy docs #5929 2023-10-19 16:26:43 +02:00			`" frame-src 'none';" +`
Run prettier on the whole project 2022-12-27 15:37:40 +01:00			`" font-src 'self';" +`
			`" img-src http: blob: data: *;" +`
fix(captcha): Add media-src CSP header for the audio captcha Co-authored-by: nig <nig@tutao.de> Co-authored-by: toj <toj@tutao.de> 2025-07-14 14:10:39 +02:00			`" media-src blob: data: *;" +`
Run prettier on the whole project 2022-12-27 15:37:40 +01:00			`" style-src 'unsafe-inline';" +`
			`"base-uri 'none';" +`
change tutanota.com references to tuta.com of the correct staging level this includes csp for the app html, the support entries and policy docs #5929 2023-10-19 16:26:43 +02:00			` connect-src 'self' ${getCspUrls(env)};`
[build] Fixes for admin client 1. Change getVersion() in nativeLibraryProvider to handle curious `npm list` behavior. 2. Reorganize rollup plugins so that admin client can import our helper plugins without importing rollup plugins from node_modules. This makes it more resilient when we link against local tutanota-3 (libs hoisted to upper level will not be found across the symlink). 3. Change LaunchHtml to not rely on mithril for the same reason. 2022-03-02 13:49:49 +01:00
			return `<meta http-equiv="Content-Security-Policy" content="${cspContent}">`
Use Rollup & Nollup for build 2019-09-13 13:49:11 +02:00			`} else {`
use app.tuta.com for the mail app domain leaves references to the https://tutanota.com domain alone 2023-09-25 13:28:09 +02:00			`// csp is in the response headers`
fix index.html generator, fix #3964 * `csp` returns null when in dist+Browser mode, which was ok when we rendered index.html, but isn't anymore when we use a template string * the generator for the script tags was also broken, with mismatched double quotes and rogue commas 2022-03-14 17:52:03 +01:00			`return ""`
Use Rollup & Nollup for build 2019-09-13 13:49:11 +02:00			`}`
Add noscript message. 2018-07-18 16:07:25 +02:00			`} else {`
Run prettier on the whole project 2022-12-27 15:37:40 +01:00			`const cspContent =`
			`"default-src * 'unsafe-inline';" +`
Support Argon2id Allow deriving keys with it if the server requests it, but do not use it by default to create new keys. tutadb#1559 Co-authored-by: @vitoreiji, @paw-hub, @charlag 2023-07-17 11:42:02 +02:00			`" script-src * 'unsafe-inline' 'wasm-unsafe-eval';" +`
Run prettier on the whole project 2022-12-27 15:37:40 +01:00			`" img-src * data: blob: 'unsafe-inline';" +`
			`" media-src * data: blob: 'unsafe-inline';" +`
			`" style-src * 'unsafe-inline';" +`
			`" frame-src *;" +`
remove superfluous csp rules from <meta> tag and for non-dist build 2023-11-03 17:09:42 +01:00			` connect-src *;`
[build] Fixes for admin client 1. Change getVersion() in nativeLibraryProvider to handle curious `npm list` behavior. 2. Reorganize rollup plugins so that admin client can import our helper plugins without importing rollup plugins from node_modules. This makes it more resilient when we link against local tutanota-3 (libs hoisted to upper level will not be found across the symlink). 3. Change LaunchHtml to not rely on mithril for the same reason. 2022-03-02 13:49:49 +01:00
			return `<meta http-equiv="Content-Security-Policy" content="${cspContent}">`
Add noscript message. 2018-07-18 16:07:25 +02:00			`}`
			`}`

Run prettier on the whole project 2022-12-27 15:37:40 +01:00			`function renderScriptImport({ src, type }) {`
[build] fix launch html It was generating broken html files for the browser tests. 2022-05-03 13:38:19 +02:00			const typeString = type ? ` type="${type}"` : ""
fix index.html generator, fix #3964 * `csp` returns null when in dist+Browser mode, which was ok when we rendered index.html, but isn't anymore when we use a template string * the generator for the script tags was also broken, with mismatched double quotes and rogue commas 2022-03-14 17:52:03 +01:00			return `<script src="${src}"${typeString} defer></script>`
Run prettier on the whole project 2022-12-27 15:37:40 +01:00			`}`