Enable strict content security policy Webpack allows us to define a content security policy that utilizes hashes to define what is, and isn't allowed to execute in the page context. Because we're a single page application, this means that we can effectively defend the whole page with a few extra lines of setup. This does not utilitize _any_ of the unsafe-* calls that content security policy has, which should meet security standards for all uses. Tested By: Launched GUI, observed no functional changes, and watched console for CSP errors. Saw none. Change-Id: I892df1f1b004384943be0ae6e51046054991fd45 Signed-off-by: Ed Tanous <ed.tanous@intel.com>

commit: 0f2f981e3218a57f89995aa6cb6b684b2ec0ba8f [log] [tgz]
author: Ed Tanous <ed.tanous@intel.com> Wed Dec 19 17:59:28 2018 -0800
committer: Ed Tanous <ed.tanous@intel.com> Sat Dec 22 17:36:03 2018 +0000
tree: 7140663c2b9acfa7da750fb4d86fb9982bf2514a
parent: 7c2b7c124f620da1ff0f8a70fd32b93e97d28871 [diff] [blame]
diff --git a/app/index.html b/app/index.html
index 62ddfc5..63ee778 100644
--- a/app/index.html
+++ b/app/index.html

@@ -2,6 +2,7 @@
 <html ng-app="app" ng-csp lang="en">
 
 <head>
+    <meta http-equiv="Content-Security-Policy" content="%%CSP_CONTENT%%">
     <meta charset="UTF-8">
     <title>OpenBMC</title>
     <meta name="viewport" content="width=device-width, initial-scale=1">
commit	0f2f981e3218a57f89995aa6cb6b684b2ec0ba8f	[log] [tgz]
author	Ed Tanous <ed.tanous@intel.com>	Wed Dec 19 17:59:28 2018 -0800
committer	Ed Tanous <ed.tanous@intel.com>	Sat Dec 22 17:36:03 2018 +0000
tree	7140663c2b9acfa7da750fb4d86fb9982bf2514a
parent	7c2b7c124f620da1ff0f8a70fd32b93e97d28871 [diff] [blame]