CSP header adjustments

CHANGELOG.md

@@ -8,6 +8,10 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
 
 ### Added
 ### Changed
+* Changed default Content-Security-Policy (CSP) Header to
+  `default-src 'self'; script-src 'self'; style-src-elem 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' blob:;`
+  [#3068](https://github.com/greenbone/gsa/pull/3068)
+
 ### Deprecated
 ### Removed
 ### Fixed

gsa/package.json

@@ -71,7 +71,7 @@
     "test:coverage": "react-scripts test --coverage --maxWorkers 2",
     "lint": "eslint --max-warnings 0 src",
     "start": "react-scripts start",
-    "build": "react-scripts build",
+    "build": "INLINE_RUNTIME_CHUNK=false react-scripts build",
     "eject": "react-scripts eject",
     "storybook": "NODE_PATH=src start-storybook",
     "build-storybook": "NODE_PATH=src build-storybook",

gsad/src/gsad.c

@@ -157,9 +157,11 @@
  * @brief Default value for HTTP header "Content-Security-Policy"
  */
 #define DEFAULT_GSAD_CONTENT_SECURITY_POLICY \
-  "default-src 'self' 'unsafe-inline';"      \
-  " img-src 'self' blob:;"                   \
-  " frame-ancestors 'self'"
+  "default-src 'self'; "                     \
+  "script-src 'self'; "                      \
+  "style-src-elem 'self' 'unsafe-inline'; "  \
+  "style-src 'self' 'unsafe-inline'; "       \
+  "img-src 'self' blob:;"
 
 /**
  * @brief Default "max-age" for HTTP header "Strict-Transport-Security"
@@ -172,7 +174,7 @@
 #define DEFAULT_GSAD_PER_IP_CONNECTION_LIMIT 30
 
 #define COPYRIGHT                                                        \
-  "Copyright (C) 2010 - 2020 Greenbone Networks GmbH\n"                  \
+  "Copyright (C) 2010 - 2021 Greenbone Networks GmbH\n"                  \
   "License: AGPL-3.0-or-later\n"                                         \
   "This is free software: you are free to change and redistribute it.\n" \
   "There is NO WARRANTY, to the extent permitted by law.\n\n"