chore: update csp (#2826)
This commit is contained in:
Mo
@@ -16,7 +16,7 @@
|
||||
"js": ["content.js"]
|
||||
}
|
||||
],
|
||||
"content_security_policy": "default-src 'self'; script-src 'self' 'wasm-eval' 'wasm-unsafe-eval'; worker-src blob:; connect-src * data: blob:; style-src 'unsafe-inline' 'self'; frame-src * blob:; img-src * data: blob:;",
|
||||
"content_security_policy": "default-src 'self'; script-src 'self' 'wasm-eval' 'wasm-unsafe-eval'; worker-src blob:; connect-src * data: blob:; style-src 'self'; frame-src * blob:; img-src * data: blob:;",
|
||||
"icons": {
|
||||
"16": "images/icon16.png",
|
||||
"32": "images/icon32.png",
|
||||
|
||||
@@ -23,7 +23,7 @@
|
||||
"128": "images/icon128.png"
|
||||
},
|
||||
"content_security_policy": {
|
||||
"extension_pages": "default-src 'self'; script-src 'self' 'wasm-unsafe-eval'; connect-src * data: blob:; style-src 'unsafe-inline' 'self'; frame-src * blob:; img-src * data: blob:;"
|
||||
"extension_pages": "default-src 'self'; script-src 'self' 'wasm-unsafe-eval'; connect-src * data: blob:; style-src 'self'; frame-src * blob:; img-src * data: blob:;"
|
||||
},
|
||||
"browser_specific_settings": {
|
||||
"gecko": {
|
||||
|
||||
@@ -2,18 +2,14 @@
|
||||
<html>
|
||||
<head>
|
||||
<meta charset="utf-8" />
|
||||
<!--
|
||||
We need to set 'unsafe-eval' to use wasm.
|
||||
https://bugs.chromium.org/p/chromium/issues/detail?id=948834
|
||||
-->
|
||||
<meta
|
||||
http-equiv="Content-Security-Policy"
|
||||
content="
|
||||
default-src 'self' blob:;
|
||||
script-src 'self' 'unsafe-eval';
|
||||
script-src 'self' 'wasm-unsafe-eval';
|
||||
worker-src 'self' blob:;
|
||||
connect-src * data: blob:;
|
||||
style-src 'unsafe-inline' 'self' http://localhost:* http://127.0.0.1:45653;
|
||||
style-src 'self' http://localhost:* http://127.0.0.1:45653;
|
||||
frame-src * blob:;
|
||||
img-src * data: blob:;
|
||||
"
|
||||
|
||||
@@ -1,57 +0,0 @@
|
||||
<!--
|
||||
This file is strictly used for local development using the webpack-dev-server.
|
||||
-->
|
||||
<!DOCTYPE html>
|
||||
<html>
|
||||
|
||||
<head>
|
||||
<meta charset="utf-8" />
|
||||
<meta content="IE=edge" http-equiv="X-UA-Compatible" />
|
||||
<meta content="width=device-width, initial-scale=1" name="viewport" />
|
||||
|
||||
<link href="favicon/apple-touch-icon.png" rel="apple-touch-icon" sizes="180x180">
|
||||
</link>
|
||||
<link href="favicon/favicon-32x32.png" rel="icon" sizes="32x32" type="image/png">
|
||||
</link>
|
||||
<link href="favicon/favicon-16x16.png" rel="icon" sizes="16x16" type="image/png">
|
||||
</link>
|
||||
<link href="manifest.webmanifest" rel="manifest">
|
||||
</link>
|
||||
|
||||
<link color="#5bbad5" href="favicon/safari-pinned-tab.svg" rel="mask-icon">
|
||||
</link>
|
||||
<meta name="theme-color" content="#ffffff">
|
||||
|
||||
<meta content="Standard Notes" name="apple-mobile-web-app-title" />
|
||||
<meta content="Standard Notes" name="application-name" />
|
||||
|
||||
<title>Dev · Notes · Standard Notes</title>
|
||||
</head>
|
||||
|
||||
<body
|
||||
data-default-sync-server="<%= env.DEFAULT_SYNC_SERVER %>"
|
||||
data-default-files-host="<%= env.DEFAULT_FILES_HOST %>"
|
||||
data-enable-unfinished-features="<%= env.ENABLE_UNFINISHED_FEATURES %>"
|
||||
data-web-socket-url="<%= env.WEBSOCKET_URL %>"
|
||||
data-purchase-url="<%= env.PURCHASE_URL %>"
|
||||
data-plans-url="<%= env.PLANS_URL %>"
|
||||
data-dashboard-url="<%= env.DASHBOARD_URL %>"
|
||||
data-dev-account-email="<%= env.DEV_ACCOUNT_EMAIL %>"
|
||||
data-dev-account-password="<%= env.DEV_ACCOUNT_PASSWORD %>"
|
||||
data-dev-account-server="<%= env.DEV_ACCOUNT_SERVER %>"
|
||||
>
|
||||
<script>
|
||||
window.defaultSyncServer = document.body.dataset.defaultSyncServer || "https://api.standardnotes.com";
|
||||
window.defaultFilesHost = document.body.dataset.defaultFilesHost;
|
||||
window.enabledUnfinishedFeatures = document.body.dataset.enableUnfinishedFeatures === 'true';
|
||||
window.websocketUrl = document.body.dataset.webSocketUrl;
|
||||
window.purchaseUrl = document.body.dataset.purchaseUrl;
|
||||
window.plansUrl = document.body.dataset.plansUrl;
|
||||
window.dashboardUrl = document.body.dataset.dashboardUrl;
|
||||
window.devAccountEmail = document.body.dataset.devAccountEmail;
|
||||
window.devAccountPassword = document.body.dataset.devAccountPassword;
|
||||
window.devAccountServer = document.body.dataset.devAccountServer;
|
||||
</script>
|
||||
</body>
|
||||
|
||||
</html>
|
||||
@@ -30,6 +30,7 @@
|
||||
<meta name="og:title" content="Standard Notes, an end-to-end encrypted notes app."/>
|
||||
<meta name="og:description" content="Standard Notes is an easy-to-use encrypted note-taking app for digitalists and professionals. Capture your notes, documents, and life's work all in one place."/>
|
||||
|
||||
<!-- CSP script-src hash: sha256-r26E+iPOhx7KM7cKn4trOSoD8u5E7wL7wwJ8UrR+rGs= -->
|
||||
<script>
|
||||
window.defaultSyncServer = "https://api.standardnotes.com";
|
||||
window.defaultFilesHost = "https://files.standardnotes.com";
|
||||
|
||||
@@ -19,6 +19,8 @@ module.exports = (env, argv) => {
|
||||
devServer: {
|
||||
headers: {
|
||||
'Access-Control-Allow-Origin': '*',
|
||||
'Content-Security-Policy':
|
||||
"default-src https: 'self'; base-uri 'self'; child-src * blob:; connect-src * data: blob:; font-src * data:; form-action 'self'; frame-ancestors * file:; frame-src * blob:; img-src 'self' * data: blob:; manifest-src 'self'; media-src 'self' blob: *.standardnotes.com; object-src 'self' blob: *.standardnotes.com; script-src 'self' 'sha256-r26E+iPOhx7KM7cKn4trOSoD8u5E7wL7wwJ8UrR+rGs=' 'wasm-unsafe-eval'; style-src *;",
|
||||
},
|
||||
hot: true,
|
||||
static: './dist',
|
||||
|
||||
Reference in New Issue
Block a user