Remove CSP protections from HTML
When I originally wrote CSP into the webui files, I intended to drop it
into the HTML file so it could be removed from bmcweb. Unfortunately,
that plan doesn't fly, as the CSP headers in bmcweb need to remain for
non-html files.
This normally wouldn't matter, but a number of people utilize
BMCWEB_INSECURE_DISABLE_XSS_PREVENTION to run the webui locally and
debug a new webui patch from a working BMC. This causes the CSP headers
to conflict, and the browser to fail with a CSP error on connect-src
when debugging locally.
Removing the CSP section entirely from the webui resolves this, and
doesn't change functionality at all, as it's still covered in bmcweb.
Tested: Will verify on a real platform.
Verified that building the webui locally with the above bmcweb flag
allows the webui to launch correctly.
Signed-off-by: Ed Tanous <ed.tanous@intel.com>
Change-Id: I60e5011361ec3ce1930249a20cf34480beb48a7f
diff --git a/app/index.html b/app/index.html
index ab2b35b..8bcd4d6 100644
--- a/app/index.html
+++ b/app/index.html
@@ -2,7 +2,7 @@
<html ng-app="app" ng-csp lang="en">
<head>
- <meta http-equiv="Content-Security-Policy" content="%%CSP_CONTENT%%">
+ <meta http-equiv="Content-Security-Policy">
<meta charset="UTF-8">
<title>OpenBMC</title>
<meta name="viewport" content="width=device-width, initial-scale=1">