No Content Security Policy is used

[pdehaan]

Risk: medium

Ideally applications, specially new applications, have a strict content security policy. This is not a complicated application and applying a content security policy should be simple. The only page where inline (CSS) code is present is the 404.html, which should be easy to move to a separate CSS file.

The risk is marked medium only because we would really like to see apps use CSP. I don’t think there is a direct danger of not having CSP on this site.

— via https://wiki.mozilla.org/Find_My_Device_Security_Review

[pdehaan]

See #216 #221

[pdehaan]

Or reassign to @oremj if this is more of an Ops/Nginx jam.

[jrconlin]

A candidate to test would be to include the following to the appropriate location in nginx.conf

server {
    ... 
    location / {
        ...
        add_header X-Content-Security-Policy "allow 'self';script-src:api.tiles.mapbox.com; css-src:api.tiles.mapbox.com";
    }
}

[jrconlin]

closed as part of #292

[mozfreddyb]

Maybe the reference is wrong, but #292 does not fix this bug, as well as it does not fix #216. Should this be re-opened?