From c962d879febd06c3b653c636c715178ad2009343 Mon Sep 17 00:00:00 2001 From: Nicolas Mattia Date: Tue, 24 Oct 2023 13:38:59 +0200 Subject: [PATCH] Remove CSP meta tag This removes the `` tag used for CSP. We originally included the CSP in the HTML because the HTTP headers could not be certified. HTTP headers are now certified so the `Content-Security-Policy` header _should_ be enough. Additionally, the `` tag hasn't been replaced correctly for some time leading to an irrelevant HTML tag. --- src/frontend/index.html | 2 -- src/internet_identity/src/assets.rs | 29 ++--------------------------- src/internet_identity/src/http.rs | 2 +- 3 files changed, 3 insertions(+), 30 deletions(-) diff --git a/src/frontend/index.html b/src/frontend/index.html index be56351113..d085effd0b 100644 --- a/src/frontend/index.html +++ b/src/frontend/index.html @@ -4,8 +4,6 @@ - - Internet Identity diff --git a/src/internet_identity/src/assets.rs b/src/internet_identity/src/assets.rs index 9bab14c3c8..e1ad675e9d 100644 --- a/src/internet_identity/src/assets.rs +++ b/src/internet_identity/src/assets.rs @@ -5,10 +5,9 @@ use crate::hash::{hash_of_map, Value}; use crate::http::{security_headers, IC_CERTIFICATE_EXPRESSION_HEADER}; use crate::nested_tree::NestedTree; -use crate::{http, state}; +use crate::state; use base64::engine::general_purpose::STANDARD as BASE64; use base64::Engine; -use ic_cdk::api; use ic_certified_map::{ fork, fork_hash, labeled, labeled_hash, AsHashTree, Hash, HashTree, RbTree, }; @@ -97,24 +96,6 @@ pub enum ContentType { // The "#, - &format!(r#""#), - ); - - html.replace( - "", - &format!( - r#""#, - &http::content_security_policy_meta() - ), - ) -} - lazy_static! { // The SRI sha256 hash of the script tag, used by the CSP policy. // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src @@ -247,13 +228,7 @@ fn collect_assets_from_dir(dir: &Dir) -> Vec<(String, Vec, ContentEncoding, let file_bytes = asset.contents().to_vec(); let (content, encoding, content_type) = match file_extension(asset) { "css" => (file_bytes, ContentEncoding::Identity, ContentType::CSS), - "html" => ( - fixup_html(String::from_utf8_lossy(&file_bytes).as_ref()) - .as_bytes() - .to_vec(), - ContentEncoding::Identity, - ContentType::HTML, - ), + "html" => (file_bytes, ContentEncoding::Identity, ContentType::HTML), "ico" => (file_bytes, ContentEncoding::Identity, ContentType::ICO), "json" => (file_bytes, ContentEncoding::Identity, ContentType::JSON), "js.gz" => (file_bytes, ContentEncoding::GZip, ContentType::JS), diff --git a/src/internet_identity/src/http.rs b/src/internet_identity/src/http.rs index 2fdef4e186..cc55e7c4a2 100644 --- a/src/internet_identity/src/http.rs +++ b/src/internet_identity/src/http.rs @@ -180,7 +180,7 @@ pub fn security_headers() -> Vec { /// Full content security policy delivered via HTTP response header. /// /// This policy also includes the `frame-ancestors` directive in addition to the policies included in the HTML `meta` tag. -/// We deliver the CSP by header _and_ meta tag because the headers are not yet certified. +/// We deliver the CSP by header fn content_security_policy_header() -> String { let meta_policy = content_security_policy_meta(); format!("{meta_policy}frame-ancestors 'none';")