From bebfded8f7c4e00a6d90a38dc86ee516454333ef Mon Sep 17 00:00:00 2001
From: tjcouch-sil <tj_couch@sil.org>
Date: Mon, 20 Mar 2023 11:19:40 -0500
Subject: [PATCH] Added script-src 'unsafe-inline' for now. Needs to be fixed
 in #89

---
 cspell.json            |  1 +
 src/renderer/index.ejs | 12 +++++++-----
 2 files changed, 8 insertions(+), 5 deletions(-)

diff --git a/cspell.json b/cspell.json
index 6dcbde7325..6d38156dad 100644
--- a/cspell.json
+++ b/cspell.json
@@ -20,6 +20,7 @@
     "endregion",
     "guids",
     "Hopkinson",
+    "iframes",
     "localstorage",
     "maximizable",
     "nums",
diff --git a/src/renderer/index.ejs b/src/renderer/index.ejs
index 9cbd295669..ce24d2e44f 100644
--- a/src/renderer/index.ejs
+++ b/src/renderer/index.ejs
@@ -10,11 +10,13 @@
       default-src 'none' so things can't happen unless we allow them
       script-src allows them to use script tags and in-line attribute scripts
         'self' so scripts can be loaded from us
-        TODO: change to script-src-elem so in-line attribute scripts like event handlers don't run? If this is actually more secure
+        'unsafe-inline' because web view iframes use srcdoc right now, which inherits CSP from parent frames
+          TODO: PLEASE FIX THIS - Move web views to be retrieved from the backend, and remove this. paranext-core#89
+        TODO: change to script-src-elem so in-line attribute scripts like event handlers don't run? If this is actually more secure. paranext-core#89
       style-src allows them to use style/link tags and style attributes on tags
         'self' so styles can be loaded from us
-        'unsafe-inline' because that's how our styles are currently loaded in for some reason
-          TODO: PLEASE FIX THIS
+        'unsafe-inline' because that's how our styles are currently loaded in by hot reloading
+          TODO: PLEASE FIX THIS IN PRODUCTION. paranext-core#89
       frame-src 'self' so frame contents can be loaded from us
       worker-src 'self' so web workers can be loaded from us
       manifest-src 'self' so we can load our manifest
@@ -23,7 +25,7 @@
         'self' communicate with us
         https: communicate with secure networks
         ws: communicate with webSockets
-          TODO: try to template the specific url from ClientNetworkConnector in
+          TODO: try to template the specific url from ClientNetworkConnector in. paranext-core#89
       img-src 'self' and https: so they can load images from us and over secure connections
       media-src 'self' and https: so they can load audio, video, etc from us and over secure connections
       font-src 'self' and https: so they can load fonts from us and over secure connections
@@ -34,7 +36,7 @@
       http-equiv="Content-Security-Policy"
       content="
         default-src 'none';
-        script-src 'self';
+        script-src 'self' 'unsafe-inline';
         style-src 'self' 'unsafe-inline';
         frame-src 'self';
         worker-src 'self';