From 6843b202c3950df9b8427cea5b43b349583d5eb1 Mon Sep 17 00:00:00 2001
From: Chris <ccbrown112@gmail.com>
Date: Fri, 5 Jan 2018 14:01:43 -0600
Subject: [PATCH] PLT-7127: Add content security policy (#539)

* add content security policy

* update plugin loading to eliminate need for nonces
---
 plugins/index.js | 19 ++++++-------------
 root.html        |  8 ++------
 root.jsx         | 10 +++++-----
 3 files changed, 13 insertions(+), 24 deletions(-)

diff --git a/plugins/index.js b/plugins/index.js
index 306d78093e23..588b5eecc485 100644
--- a/plugins/index.js
+++ b/plugins/index.js
@@ -78,13 +78,6 @@ export function getPlugins() {
 
 export function loadPlugin(manifest) {
     function onLoad() {
-        // Add the plugin's js to the page
-        const script = document.createElement('script');
-        script.id = 'plugin_' + manifest.id;
-        script.type = 'text/javascript';
-        script.text = this.responseText;
-        document.getElementsByTagName('head')[0].appendChild(script);
-
         // Initialize the plugin
         console.log('Registering ' + manifest.id + ' plugin...'); //eslint-disable-line no-console
         const plugin = window.plugins[manifest.id];
@@ -92,18 +85,18 @@ export function loadPlugin(manifest) {
         console.log('...done'); //eslint-disable-line no-console
     }
 
-    // Fetch the plugin's bundled js
-    const xhrObj = new XMLHttpRequest();
-
     // Backwards compatibility for old plugins
     let bundlePath = manifest.webapp.bundle_path;
     if (bundlePath.includes('/static/') && !bundlePath.includes('/static/plugins/')) {
         bundlePath = bundlePath.replace('/static/', '/static/plugins/');
     }
 
-    xhrObj.open('GET', getSiteURL() + bundlePath, true);
-    xhrObj.addEventListener('load', onLoad);
-    xhrObj.send('');
+    const script = document.createElement('script');
+    script.id = 'plugin_' + manifest.id;
+    script.type = 'text/javascript';
+    script.src = getSiteURL() + bundlePath;
+    script.onload = onLoad;
+    document.getElementsByTagName('head')[0].appendChild(script);
 }
 
 export function removePlugin(manifest) {
diff --git a/root.html b/root.html
index 019cf4e523bc..65a153488626 100644
--- a/root.html
+++ b/root.html
@@ -1,6 +1,8 @@
 <!DOCTYPE html>
 <html lang="en">
 <head>
+    <meta http-equiv="Content-Security-Policy" content="script-src 'self' cdn.segment.com/analytics.js/ 'unsafe-eval'">
+
     <meta http-equiv='X-UA-Compatible' content='IE=edge'>
     <meta name='viewport' content='width=device-width, initial-scale=1, maximum-scale=1, user-scalable=0'>
     <meta name='robots' content='noindex, nofollow'>
@@ -91,12 +93,6 @@ <h2>Cannot connect to Mattermost</h2>
             </div>
         </div>
     </div>
-    <script>
-        if (typeof window.setup_root !== 'function') {
-            document.querySelector('.error-screen').classList.add('error-screen-visible');
-        }
-        window.setup_root();
-    </script>
     <noscript>
         To use Mattermost, please enable JavaScript.
     </noscript>
diff --git a/root.jsx b/root.jsx
index f5d933d0420e..f17828bcde7f 100644
--- a/root.jsx
+++ b/root.jsx
@@ -164,10 +164,10 @@ function appendOnLoadEvent(fn) {
     }
 }
 
-global.window.setup_root = () => {
-    // Append trackLoadTime function to any exisitng onload events
-    appendOnLoadEvent(trackLoadTime);
-
+appendOnLoadEvent(() => {
     // Do the pre-render setup and call renderRootComponent when done
     preRenderSetup(renderRootComponent);
-};
+});
+
+// Append trackLoadTime function to any exisitng onload events
+appendOnLoadEvent(trackLoadTime);