fix(core): change default `freezePrototype` to false, closes #3416 #3406 (#3423)

.changes/fix-default-freeze-prototype.md

@@ -0,0 +1,6 @@
+---
+"tauri": patch
+"tauri-utils": patch
+---
+
+Change default value for the `freezePrototype` configuration to `false`.

core/tauri-codegen/src/embedded_assets.rs

@@ -192,7 +192,7 @@ impl AssetOptions {
     Self {
       csp: false,
       pattern,
-      freeze_prototype: true,
+      freeze_prototype: false,
       #[cfg(feature = "isolation")]
       isolation_schema: format!("isolation-{}", uuid::Uuid::new_v4()),
     }

core/tauri-utils/src/config.rs

@@ -573,7 +573,7 @@ fn default_file_drop_enabled() -> bool {
 
 /// Security configuration.
 #[skip_serializing_none]
-#[derive(Debug, PartialEq, Clone, Deserialize, Serialize)]
+#[derive(Debug, Default, PartialEq, Clone, Deserialize, Serialize)]
 #[cfg_attr(feature = "schema", derive(JsonSchema))]
 #[serde(rename_all = "camelCase", deny_unknown_fields)]
 pub struct SecurityConfig {
@@ -589,24 +589,10 @@ pub struct SecurityConfig {
   /// See <https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP>.
   pub dev_csp: Option<String>,
   /// Freeze the `Object.prototype` when using the custom protocol.
-  #[serde(default = "default_freeze_prototype")]
+  #[serde(default)]
   pub freeze_prototype: bool,
 }
 
-impl Default for SecurityConfig {
-  fn default() -> Self {
-    Self {
-      csp: None,
-      dev_csp: None,
-      freeze_prototype: default_freeze_prototype(),
-    }
-  }
-}
-
-fn default_freeze_prototype() -> bool {
-  true
-}
-
 /// Defines an allowlist type.
 pub trait Allowlist {
   /// Returns all features associated with the allowlist struct.
@@ -2558,7 +2544,7 @@ mod test {
       security: SecurityConfig {
         csp: None,
         dev_csp: None,
-        freeze_prototype: true,
+        freeze_prototype: false,
       },
       allowlist: AllowlistConfig::default(),
       system_tray: None,

examples/api/src-tauri/tauri.conf.json

@@ -116,7 +116,8 @@
       }
     ],
     "security": {
-      "csp": "default-src 'self' customprotocol: img-src: 'self'; style-src 'unsafe-inline' 'self' https://fonts.googleapis.com; img-src 'self' asset: https://asset.localhost blob: data:; font-src https://fonts.gstatic.com"
+      "csp": "default-src 'self' customprotocol: img-src: 'self'; style-src 'unsafe-inline' 'self' https://fonts.googleapis.com; img-src 'self' asset: https://asset.localhost blob: data:; font-src https://fonts.gstatic.com",
+      "freezePrototype": true
     },
     "systemTray": {
       "iconPath": "../../.icons/tray_icon_with_transparency.png",

tooling/cli/schema.json

@@ -155,7 +155,7 @@
           "use": "brownfield"
         },
         "security": {
-          "freezePrototype": true
+          "freezePrototype": false
         },
         "updater": {
           "active": false,
@@ -1294,7 +1294,7 @@
         },
         "freezePrototype": {
           "description": "Freeze the `Object.prototype` when using the custom protocol.",
-          "default": true,
+          "default": false,
           "type": "boolean"
         }
       },
@@ -1609,7 +1609,7 @@
         "security": {
           "description": "Security configuration.",
           "default": {
-            "freezePrototype": true
+            "freezePrototype": false
           },
           "allOf": [
             {