diff options
| author | Ed Tanous <ed.tanous@intel.com> | 2019-10-23 13:41:42 -0700 |
|---|---|---|
| committer | Ed Tanous <ed.tanous@intel.com> | 2019-10-23 13:41:42 -0700 |
| commit | f6387628d22b525c20a16e4b928ceece0e03c92b (patch) | |
| tree | 91546d2b003d5a9fecd7e0295399d57beb6468a4 /webpack.config.js | |
| parent | 5e930c0aeb5b66df2c357be4d5c33d4828c2783f (diff) | |
| download | phosphor-webui-f6387628d22b525c20a16e4b928ceece0e03c92b.tar.gz phosphor-webui-f6387628d22b525c20a16e4b928ceece0e03c92b.zip | |
Remove CSP protections from HTML
When I originally wrote CSP into the webui files, I intended to drop it
into the HTML file so it could be removed from bmcweb. Unfortunately,
that plan doesn't fly, as the CSP headers in bmcweb need to remain for
non-html files.
This normally wouldn't matter, but a number of people utilize
BMCWEB_INSECURE_DISABLE_XSS_PREVENTION to run the webui locally and
debug a new webui patch from a working BMC. This causes the CSP headers
to conflict, and the browser to fail with a CSP error on connect-src
when debugging locally.
Removing the CSP section entirely from the webui resolves this, and
doesn't change functionality at all, as it's still covered in bmcweb.
Tested: Will verify on a real platform.
Verified that building the webui locally with the above bmcweb flag
allows the webui to launch correctly.
Signed-off-by: Ed Tanous <ed.tanous@intel.com>
Change-Id: I60e5011361ec3ce1930249a20cf34480beb48a7f
Diffstat (limited to 'webpack.config.js')
| -rw-r--r-- | webpack.config.js | 12 |
1 files changed, 0 insertions, 12 deletions
diff --git a/webpack.config.js b/webpack.config.js index 71b029e..7630954 100644 --- a/webpack.config.js +++ b/webpack.config.js @@ -5,7 +5,6 @@ var webpack = require('webpack'); var autoprefixer = require('autoprefixer'); var HtmlWebpackInlineSourcePlugin = require('html-webpack-inline-source-plugin'); -var CSPWebpackPlugin = require('csp-html-webpack-plugin'); var HtmlWebpackPlugin = require('html-webpack-plugin'); var CopyWebpackPlugin = require('copy-webpack-plugin'); var CompressionPlugin = require('compression-webpack-plugin'); @@ -131,17 +130,6 @@ module.exports = (env, options) => { minify: {removeComments: true, collapseWhitespace: true}, }), - new CSPWebpackPlugin({ - 'base-uri': '\'self\'', - 'object-src': '\'none\'', - 'script-src': ['\'self\''], - 'style-src': ['\'self\''], - 'connect-src': ['\'self\'', 'wss:'], - // KVM requires image buffers from data: payloads, so allow that in - // img-src - // https://stackoverflow.com/questions/18447970/content-security-policy-data-not-working-for-base64-images-in-chrome-28 - 'img-src': ['\'self\'', 'data:'], - }), new MiniCssExtractPlugin(), new FilterChunkWebpackPlugin({ |
