PLT-7127: Add content security policy (mattermost#539)

* add content security policy * update plugin loading to eliminate need for nonces
Revanth47 · Jan 5, 2018 · 6843b20 · 6843b20
1 parent 174ed8c
commit 6843b20
Show file tree

Hide file tree

Showing 3 changed files with 13 additions and 24 deletions.
diff --git a/plugins/index.js b/plugins/index.js
@@ -78,32 +78,25 @@ export function getPlugins() {
 
 export function loadPlugin(manifest) {
  function onLoad() {
- // Add the plugin's js to the page
- const script = document.createElement('script');
- script.id = 'plugin_' + manifest.id;
- script.type = 'text/javascript';
- script.text = this.responseText;
- document.getElementsByTagName('head')[0].appendChild(script);
-
  // Initialize the plugin
  console.log('Registering ' + manifest.id + ' plugin...'); //eslint-disable-line no-console
  const plugin = window.plugins[manifest.id];
  plugin.initialize(registerComponents.bind(null, manifest.id), store);
  console.log('...done'); //eslint-disable-line no-console
  }
 
- // Fetch the plugin's bundled js
- const xhrObj = new XMLHttpRequest();
-
  // Backwards compatibility for old plugins
  let bundlePath = manifest.webapp.bundle_path;
  if (bundlePath.includes('/static/') && !bundlePath.includes('/static/plugins/')) {
  bundlePath = bundlePath.replace('/static/', '/static/plugins/');
  }
 
- xhrObj.open('GET', getSiteURL() + bundlePath, true);
- xhrObj.addEventListener('load', onLoad);
- xhrObj.send('');
+ const script = document.createElement('script');
+ script.id = 'plugin_' + manifest.id;
+ script.type = 'text/javascript';
+ script.src = getSiteURL() + bundlePath;
+ script.onload = onLoad;
+ document.getElementsByTagName('head')[0].appendChild(script);
 }
 
 export function removePlugin(manifest) {

diff --git a/root.html b/root.html
@@ -1,6 +1,8 @@
 <!DOCTYPE html>
 <html lang="en">
 <head>
+ <meta http-equiv="Content-Security-Policy" content="script-src 'self' cdn.segment.com/analytics.js/ 'unsafe-eval'">
+
  <meta http-equiv='X-UA-Compatible' content='IE=edge'>
  <meta name='viewport' content='width=device-width, initial-scale=1, maximum-scale=1, user-scalable=0'>
  <meta name='robots' content='noindex, '>
@@ -91,12 +93,6 @@ <h2>Cannot connect to Mattermost</h2>
  </div>
  </div>
  </div>
- <script>
- if (typeof window.setup_root !== 'function') {
- document.querySelector('.error-screen').classList.add('error-screen-visible');
- }
- window.setup_root();
- </script>
  <noscript>
  To use Mattermost, please enable JavaScript.
  </noscript>

diff --git a/root.jsx b/root.jsx
@@ -164,10 +164,10 @@ function appendOnLoadEvent(fn) {
  }
 }
 
-global.window.setup_root = () => {
- // Append trackLoadTime function to any exisitng onload events
- appendOnLoadEvent(trackLoadTime);
-
+appendOnLoadEvent(() => {
  // Do the pre-render setup and call renderRootComponent when done
  preRenderSetup(renderRootComponent);
-};
+});
+
+// Append trackLoadTime function to any exisitng onload events
+appendOnLoadEvent(trackLoadTime);