Remove CSP meta tag

This removes the `<meta>` tag used for CSP. We originally included the
CSP in the HTML because the HTTP headers could not be certified.

HTTP headers are now certified so the `Content-Security-Policy` header
_should_ be enough. Additionally, the `<meta>` tag hasn't been replaced
correctly for some time leading to an irrelevant HTML tag.

src/frontend/index.html

@@ -4,8 +4,6 @@
     <meta charset="UTF-8" />
     <meta http-equiv="X-UA-Compatible" content="IE=edge" />
     <meta name="viewport" content="width=device-width, initial-scale=1.0" />
-    <!-- CSP directives injected by the canister -->
-    <meta replaceme-with-csp />
     <title>Internet Identity</title>
     <link rel="shortcut icon" href="/favicon.ico" />
     <link rel="stylesheet" href="src/styles/main.css" />

src/internet_identity/src/assets.rs

@@ -5,10 +5,9 @@
 use crate::hash::{hash_of_map, Value};
 use crate::http::{security_headers, IC_CERTIFICATE_EXPRESSION_HEADER};
 use crate::nested_tree::NestedTree;
-use crate::{http, state};
+use crate::state;
 use base64::engine::general_purpose::STANDARD as BASE64;
 use base64::Engine;
-use ic_cdk::api;
 use ic_certified_map::{
     fork, fork_hash, labeled, labeled_hash, AsHashTree, Hash, HashTree, RbTree,
 };
@@ -97,24 +96,6 @@ pub enum ContentType {
 // The <script> tag that loads the 'index.js'
 const JS_SETUP_SCRIPT: &str = "let s = document.createElement('script');s.type = 'module';s.src = '/index.js';document.head.appendChild(s);";
 
-// Fix up HTML pages, by injecting canister ID, script tag and CSP
-fn fixup_html(html: &str) -> String {
-    let canister_id = api::id();
-    let setup_js: String = JS_SETUP_SCRIPT.to_string();
-    let html = html.replace(
-        r#"<script type="module" crossorigin src="/index.js"></script>"#,
-        &format!(r#"<script data-canister-id="{canister_id}" type="module">{setup_js}</script>"#),
-    );
-
-    html.replace(
-        "<meta replaceme-with-csp/>",
-        &format!(
-            r#"<meta http-equiv="Content-Security-Policy" content="{}" />"#,
-            &http::content_security_policy_meta()
-        ),
-    )
-}
-
 lazy_static! {
     // The SRI sha256 hash of the script tag, used by the CSP policy.
     // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src
@@ -247,13 +228,7 @@ fn collect_assets_from_dir(dir: &Dir) -> Vec<(String, Vec<u8>, ContentEncoding,
         let file_bytes = asset.contents().to_vec();
         let (content, encoding, content_type) = match file_extension(asset) {
             "css" => (file_bytes, ContentEncoding::Identity, ContentType::CSS),
-            "html" => (
-                fixup_html(String::from_utf8_lossy(&file_bytes).as_ref())
-                    .as_bytes()
-                    .to_vec(),
-                ContentEncoding::Identity,
-                ContentType::HTML,
-            ),
+            "html" => (file_bytes, ContentEncoding::Identity, ContentType::HTML),
             "ico" => (file_bytes, ContentEncoding::Identity, ContentType::ICO),
             "json" => (file_bytes, ContentEncoding::Identity, ContentType::JSON),
             "js.gz" => (file_bytes, ContentEncoding::GZip, ContentType::JS),

src/internet_identity/src/http.rs

@@ -180,7 +180,7 @@ pub fn security_headers() -> Vec<HeaderField> {
 /// Full content security policy delivered via HTTP response header.
 ///
 /// This policy also includes the `frame-ancestors` directive in addition to the policies included in the HTML `meta` tag.
-/// We deliver the CSP by header _and_ meta tag because the headers are not yet certified.
+/// We deliver the CSP by header
 fn content_security_policy_header() -> String {
     let meta_policy = content_security_policy_meta();
     format!("{meta_policy}frame-ancestors 'none';")