Enable strict content security policy

Webpack allows us to define a content security policy that utilizes
hashes to define what is, and isn't allowed to execute in the page
context.  Because we're a single page application, this means that we
can effectively defend the whole page with a few extra lines of setup.

This does not utilitize _any_ of the unsafe-* calls that content
security policy has, which should meet security standards for all uses.

Tested By:
Launched GUI, observed no functional changes, and watched console for
CSP errors.  Saw none.

Change-Id: I892df1f1b004384943be0ae6e51046054991fd45
Signed-off-by: Ed Tanous <ed.tanous@intel.com>
diff --git a/app/index.html b/app/index.html
index 62ddfc5..63ee778 100644
--- a/app/index.html
+++ b/app/index.html
@@ -2,6 +2,7 @@
 <html ng-app="app" ng-csp lang="en">
 
 <head>
+    <meta http-equiv="Content-Security-Policy" content="%%CSP_CONTENT%%">
     <meta charset="UTF-8">
     <title>OpenBMC</title>
     <meta name="viewport" content="width=device-width, initial-scale=1">
diff --git a/package-lock.json b/package-lock.json
index 379caed..07d2a7c 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -713,6 +713,12 @@
         "to-fast-properties": "2.0.0"
       }
     },
+    "@types/node": {
+      "version": "10.12.18",
+      "resolved": "https://registry.npmjs.org/@types/node/-/node-10.12.18.tgz",
+      "integrity": "sha512-fh+pAqt4xRzPfqA6eh3Z2y6fyZavRIumvjhaCL753+TVkGKGhpPeyrJG2JftD0T9q4GF00KjefsQ+PQNDdWQaQ==",
+      "dev": true
+    },
     "@uirouter/core": {
       "version": "5.0.21",
       "resolved": "https://registry.npmjs.org/@uirouter/core/-/core-5.0.21.tgz",
@@ -1947,6 +1953,20 @@
       "integrity": "sha512-mT8iDcrh03qDGRRmoA2hmBJnxpllMR+0/0qlzjqZES6NdiWDcZkCNAk4rPFZ9Q85r27unkiNNg8ZOiwZXBHwcA==",
       "dev": true
     },
+    "cheerio": {
+      "version": "1.0.0-rc.2",
+      "resolved": "https://registry.npmjs.org/cheerio/-/cheerio-1.0.0-rc.2.tgz",
+      "integrity": "sha1-S59TqBsn5NXawxwP/Qz6A8xoMNs=",
+      "dev": true,
+      "requires": {
+        "css-select": "1.2.0",
+        "dom-serializer": "0.1.0",
+        "entities": "1.1.1",
+        "htmlparser2": "3.10.0",
+        "lodash": "4.17.10",
+        "parse5": "3.0.3"
+      }
+    },
     "chownr": {
       "version": "1.0.1",
       "resolved": "https://registry.npmjs.org/chownr/-/chownr-1.0.1.tgz",
@@ -2503,6 +2523,24 @@
         "randomfill": "1.0.4"
       }
     },
+    "csp-html-webpack-plugin": {
+      "version": "2.5.0",
+      "resolved": "https://registry.npmjs.org/csp-html-webpack-plugin/-/csp-html-webpack-plugin-2.5.0.tgz",
+      "integrity": "sha512-cL3fiTv1ebu5FnfmgJUZG6lSI/k0K+QDcza2rZyHw9xcWE4hGoD0cL3rAPvCAPa+OrFMrbj35RqkHXISWwm2Uw==",
+      "dev": true,
+      "requires": {
+        "cheerio": "1.0.0-rc.2",
+        "lodash": "4.17.11"
+      },
+      "dependencies": {
+        "lodash": {
+          "version": "4.17.11",
+          "resolved": "https://registry.npmjs.org/lodash/-/lodash-4.17.11.tgz",
+          "integrity": "sha512-cQKh8igo5QUhZ7lg38DYWAxMvjSAKG0A8wGSVimP07SIUEK2UO+arSRKbRZWtelMtN5V0Hkwh5ryOto/SshYIg==",
+          "dev": true
+        }
+      }
+    },
     "css-loader": {
       "version": "1.0.0",
       "resolved": "https://registry.npmjs.org/css-loader/-/css-loader-1.0.0.tgz",
@@ -2949,6 +2987,15 @@
       "integrity": "sha1-sXrtguirWeUt2cGbF1bg/BhyBMI=",
       "dev": true
     },
+    "domhandler": {
+      "version": "2.4.2",
+      "resolved": "https://registry.npmjs.org/domhandler/-/domhandler-2.4.2.tgz",
+      "integrity": "sha512-JiK04h0Ht5u/80fdLMCEmV4zkNh2BcoMFBmZ/91WtYZ8qVXSKjiw7fXMgFPnHcSZgOo3XdinHvmnDUeMf5R4wA==",
+      "dev": true,
+      "requires": {
+        "domelementtype": "1.3.0"
+      }
+    },
     "domutils": {
       "version": "1.5.1",
       "resolved": "https://registry.npmjs.org/domutils/-/domutils-1.5.1.tgz",
@@ -4496,6 +4543,33 @@
         }
       }
     },
+    "htmlparser2": {
+      "version": "3.10.0",
+      "resolved": "https://registry.npmjs.org/htmlparser2/-/htmlparser2-3.10.0.tgz",
+      "integrity": "sha512-J1nEUGv+MkXS0weHNWVKJJ+UrLfePxRWpN3C9bEi9fLxL2+ggW94DQvgYVXsaT30PGwYRIZKNZXuyMhp3Di4bQ==",
+      "dev": true,
+      "requires": {
+        "domelementtype": "1.3.0",
+        "domhandler": "2.4.2",
+        "domutils": "1.5.1",
+        "entities": "1.1.1",
+        "inherits": "2.0.3",
+        "readable-stream": "3.1.0"
+      },
+      "dependencies": {
+        "readable-stream": {
+          "version": "3.1.0",
+          "resolved": "https://registry.npmjs.org/readable-stream/-/readable-stream-3.1.0.tgz",
+          "integrity": "sha512-vpydAvIJvPODZNagCPuHG87O9JNPtvFEtjHHRVwNVsVVRBqemvPJkc2SYbxJsiZXawJdtZNmkmnsPuE3IgsG0A==",
+          "dev": true,
+          "requires": {
+            "inherits": "2.0.3",
+            "string_decoder": "1.1.1",
+            "util-deprecate": "1.0.2"
+          }
+        }
+      }
+    },
     "http-deceiver": {
       "version": "1.2.7",
       "resolved": "https://registry.npmjs.org/http-deceiver/-/http-deceiver-1.2.7.tgz",
@@ -6453,6 +6527,15 @@
         "error-ex": "1.3.2"
       }
     },
+    "parse5": {
+      "version": "3.0.3",
+      "resolved": "https://registry.npmjs.org/parse5/-/parse5-3.0.3.tgz",
+      "integrity": "sha512-rgO9Zg5LLLkfJF9E6CCmXlSE4UVceloys8JrFqCcHloC3usd/kJCyPDwH2SOlzix2j3xaP9sUX3e8+kvkuleAA==",
+      "dev": true,
+      "requires": {
+        "@types/node": "10.12.18"
+      }
+    },
     "parseurl": {
       "version": "1.3.2",
       "resolved": "https://registry.npmjs.org/parseurl/-/parseurl-1.3.2.tgz",
diff --git a/package.json b/package.json
index 2216e73..c4ed8e5 100644
--- a/package.json
+++ b/package.json
@@ -51,28 +51,29 @@
     "babel-loader": "8.0.2",
     "compression-webpack-plugin": "2.0.0",
     "copy-webpack-plugin": "4.5.2",
+    "csp-html-webpack-plugin": "^2.5.0",
     "css-loader": "1.0.0",
     "eslint-plugin-angular": "3.3.0",
     "event-stream": "3.3.4",
     "file-loader": "2.0.0",
+    "filter-chunk-webpack-plugin": "^2.1.0",
     "html-loader": "^0.5.5",
     "html-minifier": "^3.5.20",
+    "html-webpack-inline-source-plugin": "0.0.10",
     "html-webpack-plugin": "^3.2.0",
+    "ignore-assets-webpack-plugin": "^2.0.1",
+    "mini-css-extract-plugin": "^0.4.2",
     "node-sass": "^4.9.3",
     "null-loader": "^0.1.1",
     "raw-loader": "^0.5.1",
     "rimraf": "^2.5.1",
     "sass-loader": "^7.1.0",
     "style-loader": "^0.23.0",
+    "svg-inline-loader": "^0.8.0",
     "uglifyjs-webpack-plugin": "^1.3.0",
     "webpack": "^4.17.2",
-    "webpack-dev-server": "^3.1.7",
-    "html-webpack-inline-source-plugin": "0.0.10",
-    "ignore-assets-webpack-plugin": "^2.0.1",
-    "filter-chunk-webpack-plugin": "^2.1.0",
-    "mini-css-extract-plugin": "^0.4.2",
-    "svg-inline-loader": "^0.8.0",
-    "webpack-cli": "^3.1.0"
+    "webpack-cli": "^3.1.0",
+    "webpack-dev-server": "^3.1.7"
   },
   "license": "MIT",
   "engines": {
diff --git a/webpack.config.js b/webpack.config.js
index 1d66f12..91cbea8 100644
--- a/webpack.config.js
+++ b/webpack.config.js
@@ -5,12 +5,11 @@
 var autoprefixer = require('autoprefixer');
 var HtmlWebpackInlineSourcePlugin =
     require('html-webpack-inline-source-plugin');
+var CSPWebpackPlugin = require('csp-html-webpack-plugin');
 var HtmlWebpackPlugin = require('html-webpack-plugin');
 var CopyWebpackPlugin = require('copy-webpack-plugin');
 var CompressionPlugin = require('compression-webpack-plugin');
-var AssetsPlugin = require('assets-webpack-plugin');
 var path = require('path');
-var UglifyJsPlugin = require('uglifyjs-webpack-plugin');
 var FilterChunkWebpackPlugin = require('filter-chunk-webpack-plugin');
 var MiniCssExtractPlugin = require('mini-css-extract-plugin');
 
@@ -75,7 +74,7 @@
         use: 'babel-loader',
         exclude: /node_modules/
       },
-      {test: /\.css$/, use: [MiniCssExtractPlugin.loader, 'css-loader']}, {
+      {
         // ASSET LOADER
         // Reference: https://github.com/webpack/file-loader
         // Copy png, jpg, jpeg, gif, svg, woff, woff2, ttf, eot files to
@@ -95,19 +94,9 @@
         test: /\.html$/,
         loader: 'html-loader'
       },
-      {
+      {test: /\.css$/, use: [MiniCssExtractPlugin.loader, 'css-loader']}, {
         test: /\.scss$/,
-        use: [
-          {
-            loader: 'style-loader'  // creates style nodes from JS strings
-          },
-          {
-            loader: 'css-loader'  // translates CSS into CommonJS
-          },
-          {
-            loader: 'sass-loader'  // compiles Sass to CSS
-          }
-        ]
+        use: [MiniCssExtractPlugin.loader, 'css-loader', 'sass-loader']
       }
     ]
   };
@@ -117,19 +106,19 @@
       template: './app/index.html',
       inject: 'body',
       favicon: './app/assets/images/favicon.ico',
-      inlineSource: '.(js|css)$',  // embed all javascript and css inline
       minify: {removeComments: true, collapseWhitespace: true},
 
     }),
-    new MiniCssExtractPlugin(), new HtmlWebpackInlineSourcePlugin(),
+    new CSPWebpackPlugin({
+      'base-uri': '\'self\'',
+      'object-src': '\'none\'',
+      'script-src': ['\'self\''],
+      'style-src': ['\'self\'']
+    }),
+    new MiniCssExtractPlugin(),
 
     new FilterChunkWebpackPlugin({
-      // The webpack inline source plugin will embed the css and javascript
-      // into our html, so  we need to strip it out here so it doesn't take
-      // up space
       patterns: [
-        '*.css',
-        '*.js',
         '*glyphicons-halflings-regular*.ttf',
         '*glyphicons-halflings-regular*.svg',
         '*glyphicons-halflings-regular*.eot',
@@ -138,7 +127,6 @@
     })
   ];
 
-
   // Add build specific plugins
   if (isProd) {
     config.plugins.push(new CompressionPlugin({deleteOriginalAssets: true}));