Enforce Content-Security-Policy

metamath / metamath-website-scripts

Scripts to set up the metamath website(s) so they're under version control, can be reviewed, and can be rerun. The scripts download the seed files from metamath-website-seed, databases from set.mm, etc.

MIT License

2 stars 3 forks source link

Enforce Content-Security-Policy #7

Closed david-a-wheeler closed 1 year ago

david-a-wheeler commented 1 year ago

This switches to enforcing our content security policy. This ensures that even if someone snuck something into our generated content, the content would have very limited access. In particular, any inserted JavaScript or HTML wouldn't be able to do a lot of things that it could otherwise do.

david-a-wheeler commented 1 year ago

It's currently been in report mode. I've been watching the browser console and trying out various pages, and nothing seems to be triggering the report mode. So I think it's safe for us to start enforcing this.