Capabilities
Tauri provides application and plugin developers with a capabilities system, to granually enable and constrain the core exposure to the application frontend running in the system WebView.
Capabilities are a set of permissions mapped to application windows and webviews by their respective label. Capabilities can affect multiple windows and webviews and these can be referenced in multiple capabilities.
Capability files are either defined as a JSON or a TOML file
inside the src-tauri/capabilities
directory.
It is good practice to use individual files and only reference
them by identifier in the tauri.conf.json
but it also possible
to defined them directly in the capabilities
field.
All capabilities inside the capabilities
directory are automatically enabled
by default.
Once capabilities are explicitly enabled in the tauri.conf.json
,
only these are used in the application build.
For a full reference of the configuration scheme please see the references section.
The following example JSON defines a capability that enables default functionality
for core plugins and the window.setTitle
API.
These snippets are part of the Tauri configuration file.
This is likely the most common configuration method, where the individual capabilities are inlined and only permissions are referenced by identifier.
This requires well defined
capability files in the capabilities
directory.
Inline capabilities can be mixed with pre-defined capabilities.
Target Platform
Capabilities can be platform-specific by defining the platforms
array.
By default the capability is applied to all targets,
but you can select a subset of the linux
, macOS
, windows
, iOS
and android
targets.
For example a capability for desktop operating systems. Note it enables permissions on plugins that are only available on desktop:
And another example of a capability for mobile. Note it enables permissions on plugins that are only available on mobile:
Remote API Access
By default the API is only accessible to bundled code shipped with the Tauri App. To allow remote sources access to certain Tauri Commands it is possible to define this in the capability configuration file.
This example would allow to scan for NFC tags and to use the barcode scanner from
all subdomains of tauri.app
.
Security Boundaries
What does it protect against?
Depending on the permissions and capabilities it is able to:
- Minimize impact of frontend compromise
- Prevent or reduce (accidential) exposure of local system interfaces and data
- Prevent or reduce possible privilege escalation from frontend to backend/system
What does it not protect against?
- Malicious or insecure Rust code
- Too lax scopes and configuration
- Incorrect scope checks in the command implementation
- Intentional bypasses from Rust code
- Basically anything which was written in the rust core of an application
- 0-days or unpatched 1-days in the system WebView
- Supply chain attacks or otherwise compromised developer systems
Schema Files
Tauri generates a JSON schema with all the permissions that are available to your
application so you have autocompletion in your IDE.
To use the schema, set the $schema
property to one of the schemas
inside the gen/schemas
directory, which are platform-specific.
Usually you will set it to ../gen/schemas/desktop-schema.json
or
../gen/schemas/mobile-schema.json
though you can also define a capability
for a specific target platform.
Configuration Files
Simplified example of an example Tauri application directory structure:
Everything can be inlined into the tauri.conf.json
but even a
little more advanced configuration would bloat this file and
the goal of this approach is that the permissions are abstracted
away whenever possible and simple to understand.
© 2024 Tauri Contributors. CC-BY / MIT