Enable strict content security policy
Webpack allows us to define a content security policy that utilizes
hashes to define what is, and isn't allowed to execute in the page
context. Because we're a single page application, this means that we
can effectively defend the whole page with a few extra lines of setup.
This does not utilitize _any_ of the unsafe-* calls that content
security policy has, which should meet security standards for all uses.
Tested By:
Launched GUI, observed no functional changes, and watched console for
CSP errors. Saw none.
Change-Id: I892df1f1b004384943be0ae6e51046054991fd45
Signed-off-by: Ed Tanous <ed.tanous@intel.com>
diff --git a/package.json b/package.json
index 2216e73..c4ed8e5 100644
--- a/package.json
+++ b/package.json
@@ -51,28 +51,29 @@
"babel-loader": "8.0.2",
"compression-webpack-plugin": "2.0.0",
"copy-webpack-plugin": "4.5.2",
+ "csp-html-webpack-plugin": "^2.5.0",
"css-loader": "1.0.0",
"eslint-plugin-angular": "3.3.0",
"event-stream": "3.3.4",
"file-loader": "2.0.0",
+ "filter-chunk-webpack-plugin": "^2.1.0",
"html-loader": "^0.5.5",
"html-minifier": "^3.5.20",
+ "html-webpack-inline-source-plugin": "0.0.10",
"html-webpack-plugin": "^3.2.0",
+ "ignore-assets-webpack-plugin": "^2.0.1",
+ "mini-css-extract-plugin": "^0.4.2",
"node-sass": "^4.9.3",
"null-loader": "^0.1.1",
"raw-loader": "^0.5.1",
"rimraf": "^2.5.1",
"sass-loader": "^7.1.0",
"style-loader": "^0.23.0",
+ "svg-inline-loader": "^0.8.0",
"uglifyjs-webpack-plugin": "^1.3.0",
"webpack": "^4.17.2",
- "webpack-dev-server": "^3.1.7",
- "html-webpack-inline-source-plugin": "0.0.10",
- "ignore-assets-webpack-plugin": "^2.0.1",
- "filter-chunk-webpack-plugin": "^2.1.0",
- "mini-css-extract-plugin": "^0.4.2",
- "svg-inline-loader": "^0.8.0",
- "webpack-cli": "^3.1.0"
+ "webpack-cli": "^3.1.0",
+ "webpack-dev-server": "^3.1.7"
},
"license": "MIT",
"engines": {