#516 Set CSP in Meta tag (#517)

* feat: set csp meta in index.html for prod

* fix grumbles

packages/fether-electron/src/main/app/methods/setupRequestListeners.js

@@ -37,6 +37,9 @@ function setupRequestListeners (fetherApp) {
   );
 
   // Content Security Policy (CSP)
+  // Note: `onHeadersReceived` will not be called in prod, because we use the
+  // file:// protocol: https://electronjs.org/docs/tutorial/security#csp-meta-tag
+  // Instead, the CSP are the ones in the meta tag inside index.html
   session.defaultSession.webRequest.onHeadersReceived((details, callback) => {
     pino.debug(
       `Configuring Content-Security-Policy for environment ${

packages/fether-react/public/index.html

@@ -4,8 +4,25 @@
 <head>
   <meta charset="utf-8">
   <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">
-  <!-- CSP defined in packages/fether-electron/src/main/app/methods/setupRequestListeners.js -->
   <meta name="theme-color" content="#000000">
+  <!-- These CSP are for prod. For dev, CSP are set inside @electron-app -->
+  <meta http-equiv="Content-Security-Policy" content="
+      block-all-mixed-content;
+      child-src 'none';
+      connect-src https: ws:;
+      default-src 'none';
+      font-src 'none';
+      form-action 'none';
+      frame-src 'none';
+      img-src 'self' 'unsafe-inline' file: data: blob: https:;
+      manifest-src 'none';
+      media-src 'none';
+      object-src 'none';
+      prefetch-src 'none';
+      script-src 'self' 'unsafe-inline';
+      style-src 'self' 'unsafe-inline' http:;
+      worker-src blob:;
+    ">
   <!--
       manifest.json provides metadata used when your web app is added to the
       homescreen on Android. See https://developers.google.com/web/fundamentals/engage-and-retain/web-app-manifest/