diff options
| author | Ed Tanous <ed.tanous@intel.com> | 2018-12-19 17:59:28 -0800 |
|---|---|---|
| committer | Ed Tanous <ed.tanous@intel.com> | 2018-12-22 17:36:03 +0000 |
| commit | 0f2f981e3218a57f89995aa6cb6b684b2ec0ba8f (patch) | |
| tree | 7140663c2b9acfa7da750fb4d86fb9982bf2514a /package.json | |
| parent | 7c2b7c124f620da1ff0f8a70fd32b93e97d28871 (diff) | |
| download | phosphor-webui-0f2f981e3218a57f89995aa6cb6b684b2ec0ba8f.tar.gz phosphor-webui-0f2f981e3218a57f89995aa6cb6b684b2ec0ba8f.zip | |
Enable strict content security policy
Webpack allows us to define a content security policy that utilizes
hashes to define what is, and isn't allowed to execute in the page
context. Because we're a single page application, this means that we
can effectively defend the whole page with a few extra lines of setup.
This does not utilitize _any_ of the unsafe-* calls that content
security policy has, which should meet security standards for all uses.
Tested By:
Launched GUI, observed no functional changes, and watched console for
CSP errors. Saw none.
Change-Id: I892df1f1b004384943be0ae6e51046054991fd45
Signed-off-by: Ed Tanous <ed.tanous@intel.com>
Diffstat (limited to 'package.json')
| -rw-r--r-- | package.json | 15 |
1 files changed, 8 insertions, 7 deletions
diff --git a/package.json b/package.json index 2216e73..c4ed8e5 100644 --- a/package.json +++ b/package.json @@ -51,28 +51,29 @@ "babel-loader": "8.0.2", "compression-webpack-plugin": "2.0.0", "copy-webpack-plugin": "4.5.2", + "csp-html-webpack-plugin": "^2.5.0", "css-loader": "1.0.0", "eslint-plugin-angular": "3.3.0", "event-stream": "3.3.4", "file-loader": "2.0.0", + "filter-chunk-webpack-plugin": "^2.1.0", "html-loader": "^0.5.5", "html-minifier": "^3.5.20", + "html-webpack-inline-source-plugin": "0.0.10", "html-webpack-plugin": "^3.2.0", + "ignore-assets-webpack-plugin": "^2.0.1", + "mini-css-extract-plugin": "^0.4.2", "node-sass": "^4.9.3", "null-loader": "^0.1.1", "raw-loader": "^0.5.1", "rimraf": "^2.5.1", "sass-loader": "^7.1.0", "style-loader": "^0.23.0", + "svg-inline-loader": "^0.8.0", "uglifyjs-webpack-plugin": "^1.3.0", "webpack": "^4.17.2", - "webpack-dev-server": "^3.1.7", - "html-webpack-inline-source-plugin": "0.0.10", - "ignore-assets-webpack-plugin": "^2.0.1", - "filter-chunk-webpack-plugin": "^2.1.0", - "mini-css-extract-plugin": "^0.4.2", - "svg-inline-loader": "^0.8.0", - "webpack-cli": "^3.1.0" + "webpack-cli": "^3.1.0", + "webpack-dev-server": "^3.1.7" }, "license": "MIT", "engines": { |
