7a87f03ec7
* csp: nonce and unsafe-eval for scripts To kick things off, a rudimentary CSP implementation only allows dynamically loading new JavaScript if it includes an associated nonce that is generated on every load of the app. A more sophisticated content security policy is necessary, particularly one that bans eval for scripts, but one step at a time. * img-src is not necessary if the goal is not to restrict * configurable CSP owned by security team * smoke test * remove x-content-security-policy * document csp.rules * fix tsconfig for test * switch integration test back to regular js * stop looking for tsconfig in test * grrr, linting errors not caught by precommit * docs: people -> you for consistency sake Co-Authored-By: epixa <court@epixa.com> |
||
---|---|---|
.. | ||
ISSUE_TEMPLATE | ||
CODEOWNERS | ||
ISSUE_TEMPLATE.md | ||
PULL_REQUEST_TEMPLATE.md |