Remove CSP meta tag

This removes the `<meta>` tag used for CSP. We originally included the CSP in the HTML because the HTTP headers could not be certified. HTTP headers are now certified so the `Content-Security-Policy` header _should_ be enough. Additionally, the `<meta>` tag hasn't been replaced correctly for some time leading to an irrelevant HTML tag.
dfinity · Oct 24, 2023 · 29534ce · 29534ce
1 parent afb54bb
commit 29534ce
Show file tree

Hide file tree

Showing 3 changed files with 4 additions and 14 deletions.
diff --git a/src/frontend/index.html b/src/frontend/index.html
@@ -4,8 +4,6 @@
     <meta charset="UTF-8" />
     <meta http-equiv="X-UA-Compatible" content="IE=edge" />
     <meta name="viewport" content="width=device-width, initial-scale=1.0" />
-    <!-- CSP directives injected by the canister -->
-    <meta replaceme-with-csp />
     <title>Internet Identity</title>
     <link rel="shortcut icon" href="/favicon.ico" />
     <link rel="stylesheet" href="src/styles/main.css" />

diff --git a/src/internet_identity/src/assets.rs b/src/internet_identity/src/assets.rs
@@ -5,7 +5,7 @@
 use crate::hash::{hash_of_map, Value};
 use crate::http::{security_headers, IC_CERTIFICATE_EXPRESSION_HEADER};
 use crate::nested_tree::NestedTree;
-use crate::{http, state};
+use crate::state;
 use base64::engine::general_purpose::STANDARD as BASE64;
 use base64::Engine;
 use ic_cdk::api;
@@ -97,21 +97,13 @@ pub enum ContentType {
 // The <script> tag that loads the 'index.js'
 const JS_SETUP_SCRIPT: &str = "let s = document.createElement('script');s.type = 'module';s.src = '/index.js';document.head.appendChild(s);";
 
-// Fix up HTML pages, by injecting canister ID, script tag and CSP
+// Fix up HTML pages, by injecting canister ID & script tag
 fn fixup_html(html: &str) -> String {
     let canister_id = api::id();
     let setup_js: String = JS_SETUP_SCRIPT.to_string();
-    let html = html.replace(
+    html.replace(
         r#"<script type="module" crossorigin src="/index.js"></script>"#,
         &format!(r#"<script data-canister-id="{canister_id}" type="module">{setup_js}</script>"#),
-    );
-
-    html.replace(
-        "<meta replaceme-with-csp/>",
-        &format!(
-            r#"<meta http-equiv="Content-Security-Policy" content="{}" />"#,
-            &http::content_security_policy_meta()
-        ),
     )
 }
 

diff --git a/src/internet_identity/src/http.rs b/src/internet_identity/src/http.rs
@@ -180,7 +180,7 @@ pub fn security_headers() -> Vec<HeaderField> {
 /// Full content security policy delivered via HTTP response header.
 ///
 /// This policy also includes the `frame-ancestors` directive in addition to the policies included in the HTML `meta` tag.
-/// We deliver the CSP by header _and_ meta tag because the headers are not yet certified.
+/// We deliver the CSP by header
 fn content_security_policy_header() -> String {
     let meta_policy = content_security_policy_meta();
     format!("{meta_policy}frame-ancestors 'none';")