Remove CSP protections from HTML
When I originally wrote CSP into the webui files, I intended to drop it
into the HTML file so it could be removed from bmcweb. Unfortunately,
that plan doesn't fly, as the CSP headers in bmcweb need to remain for
non-html files.
This normally wouldn't matter, but a number of people utilize
BMCWEB_INSECURE_DISABLE_XSS_PREVENTION to run the webui locally and
debug a new webui patch from a working BMC. This causes the CSP headers
to conflict, and the browser to fail with a CSP error on connect-src
when debugging locally.
Removing the CSP section entirely from the webui resolves this, and
doesn't change functionality at all, as it's still covered in bmcweb.
Tested: Will verify on a real platform.
Verified that building the webui locally with the above bmcweb flag
allows the webui to launch correctly.
Signed-off-by: Ed Tanous <ed.tanous@intel.com>
Change-Id: I60e5011361ec3ce1930249a20cf34480beb48a7f
diff --git a/app/index.html b/app/index.html
index ab2b35b..8bcd4d6 100644
--- a/app/index.html
+++ b/app/index.html
@@ -2,7 +2,7 @@
<html ng-app="app" ng-csp lang="en">
<head>
- <meta http-equiv="Content-Security-Policy" content="%%CSP_CONTENT%%">
+ <meta http-equiv="Content-Security-Policy">
<meta charset="UTF-8">
<title>OpenBMC</title>
<meta name="viewport" content="width=device-width, initial-scale=1">
diff --git a/package-lock.json b/package-lock.json
index a34a2d3..d0a4732 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -2940,17 +2940,6 @@
"randomfill": "^1.0.3"
}
},
- "csp-html-webpack-plugin": {
- "version": "3.0.3",
- "resolved": "https://registry.npmjs.org/csp-html-webpack-plugin/-/csp-html-webpack-plugin-3.0.3.tgz",
- "integrity": "sha512-E7IYkTYbh7lY2VpPa8snMrH0muoVCIdPb5dAW9dOX5CFRqeZNsBqqIBejlHJ2cn6rFrrQZ/s/vIh0ZTooBP+xQ==",
- "dev": true,
- "requires": {
- "cheerio": "^1.0.0-rc.2",
- "lodash": "^4.17.15",
- "memory-fs": "^0.4.1"
- }
- },
"css-loader": {
"version": "3.2.0",
"resolved": "https://registry.npmjs.org/css-loader/-/css-loader-3.2.0.tgz",
diff --git a/package.json b/package.json
index f8911c2..48f4cb1 100644
--- a/package.json
+++ b/package.json
@@ -65,7 +65,6 @@
"babel-polyfill": "6.26.0",
"compression-webpack-plugin": "3.0.0",
"copy-webpack-plugin": "5.0.4",
- "csp-html-webpack-plugin": "3.0.3",
"css-loader": "3.2.0",
"eslint-plugin-angular": "4.0.1",
"event-stream": "4.0.1",
diff --git a/webpack.config.js b/webpack.config.js
index 71b029e..7630954 100644
--- a/webpack.config.js
+++ b/webpack.config.js
@@ -5,7 +5,6 @@
var autoprefixer = require('autoprefixer');
var HtmlWebpackInlineSourcePlugin =
require('html-webpack-inline-source-plugin');
-var CSPWebpackPlugin = require('csp-html-webpack-plugin');
var HtmlWebpackPlugin = require('html-webpack-plugin');
var CopyWebpackPlugin = require('copy-webpack-plugin');
var CompressionPlugin = require('compression-webpack-plugin');
@@ -131,17 +130,6 @@
minify: {removeComments: true, collapseWhitespace: true},
}),
- new CSPWebpackPlugin({
- 'base-uri': '\'self\'',
- 'object-src': '\'none\'',
- 'script-src': ['\'self\''],
- 'style-src': ['\'self\''],
- 'connect-src': ['\'self\'', 'wss:'],
- // KVM requires image buffers from data: payloads, so allow that in
- // img-src
- // https://stackoverflow.com/questions/18447970/content-security-policy-data-not-working-for-base64-images-in-chrome-28
- 'img-src': ['\'self\'', 'data:'],
- }),
new MiniCssExtractPlugin(),
new FilterChunkWebpackPlugin({