From 56b876c63a263d06ee7f7267193a853261f6e1a7 Mon Sep 17 00:00:00 2001
From: Alice Gaudon <alice@gaudon.pro>
Date: Tue, 26 May 2020 09:36:37 +0200
Subject: [PATCH] Fix CSP security (remove unsafe-inline and unsafe-eval)

---
 frontend/index.html            | 4 ++--
 frontend/service-settings.html | 4 ++--
 frontend/settings.html         | 4 ++--
 3 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/frontend/index.html b/frontend/index.html
index 8de9d40..7ba284e 100644
--- a/frontend/index.html
+++ b/frontend/index.html
@@ -4,7 +4,7 @@
     <meta charset="UTF-8">
     <title>Tabs</title>
 
-    <meta http-equiv="Content-Security-Policy" content="style-src 'self' 'unsafe-inline' https://use.fontawesome.com; font-src 'self' https://use.fontawesome.com; script-src 'self' 'unsafe-inline' 'unsafe-eval'">
+    <meta http-equiv="Content-Security-Policy" content="style-src 'self' 'unsafe-inline' https://use.fontawesome.com; font-src 'self' https://use.fontawesome.com; script-src 'self' 'sha256-oPC0l5nxLnJ2LX6qU9Laxa4/cjhuHDRIqdUsBDWYqnw='">
 
     <link rel="stylesheet" href="https://use.fontawesome.com/releases/v5.8.2/css/all.css"
           integrity="sha384-oS3vJWv+0UjzBfQzYUhtDYW+Pj2yciDJxpsK1OYPAYjqT085Qq/1cq5FLXAZQ7Ay" crossorigin="anonymous">
@@ -12,7 +12,7 @@
     <link rel="stylesheet" href="css/layout.css">
     <link rel="stylesheet" href="css/index.css">
 
-    <script src="js/index.js" defer></script>
+    <script>require('./js/index.js')</script>
 </head>
 
 <body>
diff --git a/frontend/service-settings.html b/frontend/service-settings.html
index 453317d..7ca53f7 100644
--- a/frontend/service-settings.html
+++ b/frontend/service-settings.html
@@ -4,7 +4,7 @@
     <meta charset="UTF-8">
     <title>Service settings</title>
 
-    <meta http-equiv="Content-Security-Policy" content="style-src 'self' 'unsafe-inline' https://use.fontawesome.com; font-src 'self' https://use.fontawesome.com; script-src 'self' 'unsafe-inline' 'unsafe-eval'">
+    <meta http-equiv="Content-Security-Policy" content="style-src 'self' 'unsafe-inline' https://use.fontawesome.com; font-src 'self' https://use.fontawesome.com; script-src 'self' 'sha256-5gY/z34s5Mtc3YL8GkwZQhzk9LymQIuFUQRVvs7Gh0o='">
 
     <link rel="stylesheet" href="https://use.fontawesome.com/releases/v5.8.2/css/all.css"
           integrity="sha384-oS3vJWv+0UjzBfQzYUhtDYW+Pj2yciDJxpsK1OYPAYjqT085Qq/1cq5FLXAZQ7Ay" crossorigin="anonymous">
@@ -12,7 +12,7 @@
     <link rel="stylesheet" href="css/layout.css">
     <link rel="stylesheet" href="css/service-settings.css">
 
-    <script src="js/service-settings.js" defer></script>
+    <script>require('./js/service-settings.js')</script>
 </head>
 
 <body>
diff --git a/frontend/settings.html b/frontend/settings.html
index aa783fb..2e7ef87 100644
--- a/frontend/settings.html
+++ b/frontend/settings.html
@@ -5,7 +5,7 @@
     <title>Service settings</title>
 
     <meta http-equiv="Content-Security-Policy"
-          content="style-src 'self' 'unsafe-inline' https://use.fontawesome.com; font-src 'self' https://use.fontawesome.com; script-src 'self' 'unsafe-inline' 'unsafe-eval'">
+          content="style-src 'self' 'unsafe-inline' https://use.fontawesome.com; font-src 'self' https://use.fontawesome.com; script-src 'self' 'sha256-UoPUIMX0PZl7cy3YoegZ0EDleSaHxTURPMyK09xsa0E='">
 
     <link rel="stylesheet" href="https://use.fontawesome.com/releases/v5.8.2/css/all.css"
           integrity="sha384-oS3vJWv+0UjzBfQzYUhtDYW+Pj2yciDJxpsK1OYPAYjqT085Qq/1cq5FLXAZQ7Ay" crossorigin="anonymous">
@@ -13,7 +13,7 @@
     <link rel="stylesheet" href="css/layout.css">
     <link rel="stylesheet" href="css/service-settings.css">
 
-    <script src="js/settings.js" defer></script>
+    <script>require('./js/settings.js')</script>
 </head>
 
 <body>