Revert "Remove JavaScript/CSS restriction from HTML Content View"

kamilkosek · daviwil · commit 4d2d3c63070e · 2017-06-23T07:37:21.000-07:00
This reverts commit d4cf59d.
diff --git a/src/features/CustomViews.ts b/src/features/CustomViews.ts
@@ -179,7 +179,7 @@ class HtmlContentView extends CustomView {
 
     getContent(): string {
         // Return an HTML page which disables JavaScript in content by default
-        return `<html><head></head><body>${this.htmlContent}</body></html>`;
+        return `<html><head><meta http-equiv="Content-Security-Policy" content="default-src 'none'; img-src *; style-src 'self'; script-src 'none';"></head><body>${this.htmlContent}</body></html>`;
     }
 }
 

Original file line number	Diff line number	Diff line change
`@@ -179,7 +179,7 @@ class HtmlContentView extends CustomView {`
`179`	`179`
`180`	`180`	`getContent(): string {`
`181`	`181`	`// Return an HTML page which disables JavaScript in content by default`
`182`		- return `<html><head></head><body>${this.htmlContent}</body></html>`;
	`182`	+ return `<html><head><meta http-equiv="Content-Security-Policy" content="default-src 'none'; img-src *; style-src 'self'; script-src 'none';"></head><body>${this.htmlContent}</body></html>`;
`183`	`183`	`}`
`184`	`184`	`}`
`185`	`185`