Enable strict content security policy

Webpack allows us to define a content security policy that utilizes hashes to define what is, and isn't allowed to execute in the page context. Because we're a single page application, this means that we can effectively defend the whole page with a few extra lines of setup. This does not utilitize _any_ of the unsafe-* calls that content security policy has, which should meet security standards for all uses. Tested By: Launched GUI, observed no functional changes, and watched console for CSP errors. Saw none. Change-Id: I892df1f1b004384943be0ae6e51046054991fd45 Signed-off-by: Ed Tanous <ed.tanous@intel.com>
author: Ed Tanous <ed.tanous@intel.com> 2018-12-19 17:59:28 -0800
committer: Ed Tanous <ed.tanous@intel.com> 2018-12-22 17:36:03 +0000
commit: 0f2f981e3218a57f89995aa6cb6b684b2ec0ba8f (patch)
tree: 7140663c2b9acfa7da750fb4d86fb9982bf2514a /app/index.html
parent: 7c2b7c124f620da1ff0f8a70fd32b93e97d28871 (diff)
download: phosphor-webui-0f2f981e3218a57f89995aa6cb6b684b2ec0ba8f.tar.gz
phosphor-webui-0f2f981e3218a57f89995aa6cb6b684b2ec0ba8f.zip
1 files changed, 1 insertions, 0 deletions
diff --git a/app/index.html b/app/index.html
index 62ddfc5..63ee778 100644
--- a/app/index.html
+++ b/app/index.html
@@ -2,6 +2,7 @@
 <html ng-app="app" ng-csp lang="en">
 
 <head>
+    <meta http-equiv="Content-Security-Policy" content="%%CSP_CONTENT%%">
     <meta charset="UTF-8">
     <title>OpenBMC</title>
     <meta name="viewport" content="width=device-width, initial-scale=1">
author	Ed Tanous <ed.tanous@intel.com>	2018-12-19 17:59:28 -0800
committer	Ed Tanous <ed.tanous@intel.com>	2018-12-22 17:36:03 +0000
commit	0f2f981e3218a57f89995aa6cb6b684b2ec0ba8f (patch)
tree	7140663c2b9acfa7da750fb4d86fb9982bf2514a /app/index.html
parent	7c2b7c124f620da1ff0f8a70fd32b93e97d28871 (diff)
download	phosphor-webui-0f2f981e3218a57f89995aa6cb6b684b2ec0ba8f.tar.gz phosphor-webui-0f2f981e3218a57f89995aa6cb6b684b2ec0ba8f.zip