We don't seem to make use of the base tag so we can add base-uri 'none' in our CSP rules. The generated index.html after a build shows:
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8">
<meta content="ie=edge" http-equiv="x-ua-compatible">
<meta name="description" content="A collection of tools for Taskcluster components and elements in the
Taskcluster ecosystem. Here you'll find tools to manage
Taskcluster services as well as run, debug, inspect, and view tasks, task groups,
and other Taskcluster related entities.">
<meta name="author" content="Taskcluster">
<title>Taskcluster</title>
<meta content="width=device-width,initial-scale=1" name="viewport">
<link href="/index.b9ec9f27fa848ae9cea54954892eb073.css" rel="stylesheet"/>
</head>
<body>
<div id="root">
</div>
<script src="/runtime.6b17f7b8acc17981bfde.v1.js" type="text/javascript"></script>
<script src="/vendor.14cd42690447ff5ce934.v1.js" type="text/javascript"></script>
<script src="/index.f55880b24bc0d4c01012.v1.js" type="text/javascript"></script>
</body>
</html>
CSP: form-action
When a form is submitted, we always do e.preventDefault so I think it's safe to add form-action 'none' to our CSP rules.
CSP: base-uri
We don't seem to make use of the
base
tag so we can addbase-uri 'none'
in our CSP rules. The generatedindex.html
after a build shows:CSP: form-action
When a form is submitted, we always do
e.preventDefault
so I think it's safe to addform-action 'none'
to our CSP rules.