Added sha-256 for all the unsafe-inline restrictions.
Sadly had to add unsafe-eval because build.js uses it for webpack.
The gravatar URL in admin doesn't work, which is consistent with freedom.press (though securedrop seems to exclude CSP altogether in /admin/ path)
I haven't included analytics.freedom.press in any of the rules, neither piwik sha256 because even though I see PIWIK_ID mentioned in production.py, I don't see them in the HTML loaded for the website. Is it being used somewhere? Then I will need to add those to the rules.
Apart from that, everything should mostly be working.
Few things to note:
/admin/path)analytics.freedom.pressin any of the rules, neither piwik sha256 because even though I see PIWIK_ID mentioned in production.py, I don't see them in the HTML loaded for the website. Is it being used somewhere? Then I will need to add those to the rules.Apart from that, everything should mostly be working.
Fixes #284