diff options
author | Ed Tanous <ed.tanous@intel.com> | 2018-12-19 17:59:28 -0800 |
---|---|---|
committer | Ed Tanous <ed.tanous@intel.com> | 2018-12-22 17:36:03 +0000 |
commit | 0f2f981e3218a57f89995aa6cb6b684b2ec0ba8f (patch) | |
tree | 7140663c2b9acfa7da750fb4d86fb9982bf2514a /app/index.html | |
parent | 7c2b7c124f620da1ff0f8a70fd32b93e97d28871 (diff) | |
download | phosphor-webui-0f2f981e3218a57f89995aa6cb6b684b2ec0ba8f.tar.gz phosphor-webui-0f2f981e3218a57f89995aa6cb6b684b2ec0ba8f.zip |
Enable strict content security policy
Webpack allows us to define a content security policy that utilizes
hashes to define what is, and isn't allowed to execute in the page
context. Because we're a single page application, this means that we
can effectively defend the whole page with a few extra lines of setup.
This does not utilitize _any_ of the unsafe-* calls that content
security policy has, which should meet security standards for all uses.
Tested By:
Launched GUI, observed no functional changes, and watched console for
CSP errors. Saw none.
Change-Id: I892df1f1b004384943be0ae6e51046054991fd45
Signed-off-by: Ed Tanous <ed.tanous@intel.com>
Diffstat (limited to 'app/index.html')
-rw-r--r-- | app/index.html | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/app/index.html b/app/index.html index 62ddfc5..63ee778 100644 --- a/app/index.html +++ b/app/index.html @@ -2,6 +2,7 @@ <html ng-app="app" ng-csp lang="en"> <head> + <meta http-equiv="Content-Security-Policy" content="%%CSP_CONTENT%%"> <meta charset="UTF-8"> <title>OpenBMC</title> <meta name="viewport" content="width=device-width, initial-scale=1"> |